Re: Issue related to conntrack while insert new rule with conntrack command in linux

Mojtaba <mespio@xxxxxxxxx> · Fri, 26 Apr 2019 23:53:29 +0430

Thanks again, It works correctly now. But how can i set  port 1111? I
have just tried like this command but i don’t work and i don't get any
packets on port 1111 in 192.168.122.1:
conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
--dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30

The packets that i got  on 192.168.122.1 are either port 5070 or port
5005 like below:
23:33:38.520746 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
23:33:38.528807 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12

 Actually i would like get packet on 192.168.122.1 on port 1111 like
this. If i set the two rule of iptables in nat table, i could see the
packet on 192.168.122.1 like below,too
23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12

So how can i set --src-nat to 192.168.122.103 and port 2222, too?
With Best Regards. Mojtaba

On Fri, Apr 26, 2019 at 3:15 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Thu, Apr 25, 2019 at 07:38:20PM +0430, Mojtaba wrote:
> > Hello all
> > I read man conntrack document guide. That is great.
> > I have a issue while i am working on it. For example i just want to insert
> > new rule in conntrack table like this:
> > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > --dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111
> > --reply-port-dst 2222 --timeout 30
> >
> > it successfully inserted but doesn’t work and traffic will be go to INPUT chain.
> > if i insert these two rules in iptables, the same above rules will be inserted
> > in conntrack table automatically and works correctly.(the traffic will
> > be traversed to 192.168.122.1 host)
> > iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242
> > --dport 5005 -j DNAT --to 192.168.122.1:1111
> >
> > iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to
> > 192.168.122.103:2222
>
> Have a look at --dst-nat option, eg.
>
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1 --timeout 30

-- 
--Mojtaba Esfandiari.S