Re: Issue related to conntrack while insert new rule with conntrack command in linux

Mojtaba <mespio@xxxxxxxxx> · Sat, 27 Apr 2019 13:31:40 +0430

Hello Pablo,
Just as better understanding, If i want to update using -U option, How
can i do that?
Suppose there is this rule in conntrack row:
udp      17 29 src=192.168.122.242 dst=192.168.122.103 sport=5070
dport=5005 [UNREPLIED] src=192.168.122.103 dst=192.168.122.242
sport=5005 dport
=5070 mark=0 use=1

and i want to update it with this command:
conntrack -U -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
--dport 5005 --dst-nat 192.168.122.1:1111 --src-nat
192.168.122.103:2222 --timeout 30
Actually it was not updated and this issue was raised:
conntrack v1.4.2 (conntrack-tools): 0 flow entries have been updated.

With Best Regards.Mojtaba

On Sat, Apr 27, 2019 at 12:20 AM Mojtaba <mespio@xxxxxxxxx> wrote:
>
> Yes, it's perfect. I just forgot to enable ip_forwarding right now.
> the problem was because of it.
> I used this command and it works properly.
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> --dport 5005 --dst-nat 192.168.122.1:1234 --src-nat
> 192.168.122.103:2222 --timeout 30
>
> That's great. Thank you so much Pablo.
> With best regards
>
> On Sat, Apr 27, 2019 at 12:07 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >
> > On Fri, Apr 26, 2019 at 11:53:29PM +0430, Mojtaba wrote:
> > > Thanks again, It works correctly now. But how can i set  port 1111? I
> > > have just tried like this command but i don’t work and i don't get any
> > > packets on port 1111 in 192.168.122.1:
> > > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > > --dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30
> > >
> > > The packets that i got  on 192.168.122.1 are either port 5070 or port
> > > 5005 like below:
> > > 23:33:38.520746 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
> > > 23:33:38.528807 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
> > >
> > >  Actually i would like get packet on 192.168.122.1 on port 1111 like
> > > this. If i set the two rule of iptables in nat table, i could see the
> > > packet on 192.168.122.1 like below,too
> > > 23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
> > > 23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
> > >
> > > So how can i set --src-nat to 192.168.122.103 and port 2222, too?
> >
> > Does this work?
> >
> > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30
>
>
>
> --
> --Mojtaba Esfandiari.S

-- 
--Mojtaba Esfandiari.S