> > I've a system that at its core has an UDP proxy that's the performance > > bottleneck. I wanted to use the DNAT kernel facilities to replace my > > code with the very tuned one on netfilter. > > I'm adding a rule that says something like this: > > /sbin/iptables -t nat -A PREROUTING -d myip -p udp -m udp --dport 5000 -j > > DNAT --to-destination otherip:18918 > > but the rule never see the packets (they never got to the chain) > > I assume that it's because I've a socket listening on udp:5000, and it > > seems reasonable what's happening... I'd like to add a PREPREROUTING chain > > that is processed before deciding if the packet is for a local socket, can > > somebody give me a hint on where to look for it? > PREROUTING works exactly as the name suggests - it is applied to packets > before the routing decision is made about whether they are local, or being > routed through the box. Therefore you *can* use the PREROUTING chain to > divert packets which would otherwise be accepted locally, so that they go to > another machine, or else divert packets which would have gone somewhere else, > so that they are accepted locally. > You say the rule never sees the packets... how do you know this? Are you > looking at the packet / byte counters, and they stay at zero all the time? Yes, and I've added a rule like this: /sbin/iptables -t nat -A PREROUTING -j LOG and don't see the packets. > You also say you have a local process listening on port 5000 - is that getting > any packets and responding to them, even with above rule in place? Yes, it continues getting the packets. Saludos, HoraPe --- Horacio J. Peņa horape@xxxxxxxxxxxxxxxxx horape@xxxxxxxxxx
