DNAT and UDP?? passes through my rules.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,
 
I have these rules in place: (VPNDEV = ppp+)
 
        $IPTABLES -A PREROUTING -t nat -i $VPNDEV -s 10.10.1.0/24 -p udp --sport 137 --dport 137 -j DNAT --to 10.10.0.30
        $IPTABLES -A PREROUTING -t nat -i $VPNDEV -s 10.10.1.0/24                               -j LOG --log-prefix "VPNPREPAK "
        $IPTABLES -A INPUT             -i $VPNDEV -s 10.10.1.0/24                               -j LOG --log-prefix "VPNINPPAK "
 
Listing them shows:

      32     2550 j_DNAT       udp  --  ppp+   *       10.10.1.0/24         0.0.0.0/0          udp spt:137 dpt:137 to:10.10.0.30
     257    20375 j_LOG        all  --  ppp+   *       10.10.1.0/24         0.0.0.0/0          LOG flags 0 level 4 prefix `VPNPREPAK '

yet I receive these logs and can't find out why it's passing through the DNAT rule??? Doesn't UDP work with DNAT or something???
The DNAT works but for some reason it seems to go to the INPUT chain still where it's should be going through the FORWARD chain since it's been NATted...
 
May 21 16:27:40 firewall kernel: VPNINPPAK IN=ppp5 OUT= MAC= SRC=10.10.1.137 DST=10.10.1.254 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=54277 PROTO=UDP SPT=137 DPT=137 LEN=58
May 21 16:27:40 firewall kernel: VPNINPPAK IN=ppp17 OUT= MAC= SRC=10.10.1.150 DST=10.10.1.254 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=20280 PROTO=UDP SPT=137 DPT=137 LEN=76
May 21 16:27:41 firewall kernel: VPNINPPAK IN=ppp5 OUT= MAC= SRC=10.10.1.137 DST=10.10.1.254 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=54279 PROTO=UDP SPT=137 DPT=137 LEN=58

 

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au 
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698  <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
 
 
 



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux