Re: Troubles DNATing UDP

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Покотиленко Костик wrote:

<snip>

As the pingers ping (send UDP packets) to 10.10.100.1 I was trying to
redirect them to 192.168.1.2 by:

iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j DNAT
--to-destination 192.168.1.2:4000
iptables -I FORWARD -p udp --dport 4000 -d 192.168.1.2 -j ACCEPT

(Before morning coffee...)

One quick question / point. Your source and destination ports are both 4000 right? (I presuming yes.) Your PREROUTING rule is looking to DNAT any UDP traffic that has a destination port of 4000 to 192.168.1.2. What happens to the reply traffic from 192.168.1.2 that is destined to port 4000 on 10.0.x.y?

Neither of those rules not catching the packets, they all reach
10.10.100.1 INPUT chain. Those rule counters are zero.

Hum.  Try adding a rule similar to this:

iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j LOG

To see if you can match the packets at all.

If I do:

iptables -t mangle -I PREROUTING 1 -p udp --dport 4000

this rule catch needed packets, but not in NAT tables! Why?

I would expect that you could match the packets any where they traverse the kernel.

<snip>

Here is tcpdump from 10.10.100.1:

# tcpdump -i br0 port 4000 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
16:36:53.202130 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74
16:36:54.092413 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74
16:36:54.143128 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74
16:36:55.291886 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74
16:36:55.545621 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74
16:36:55.743096 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74

Hum...

Once again, all those packets reach INPUT chain, rules in -t nat -I
PREROUTING not working.

You appear to be using a bridge interface, not a real network interface. (Not that this is a problem.)

Do you have the "Bridged IP/ARP packets filtering" option enabled in the kernel? If you do, this option will enable NetFilter Layer 3 filtering at the EBTables Layer 2 level. I.e. you can use IPTables to filter bridged traffic. In this case you will need to write rules to allow your bridged traffic to flow through, as it is dependent on your Table / CHAIN default policies.

So here is the question: Does the UDP is being DNAT'ed differently
comparing with TCP? What is the difference? How can I DNAT them?

I do not think that the problem is with the protocol(s) per say, but rather the filtering that is in place.

Will you please do an iptables-save output so that we can see your entire firewall script to better evaluate what is going on.

Thanks in advance.

No problem.

P.S. This king of UDP ping doesn't require responce, its just to see
which remote point is still alive.

Sorry, I have to ask. How are you going to be able to tell if a point is active if you do not get a reply? Are you looking for some sort of anomaly in reply / error (or lack there of) traffic to determine if a point is active?



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux