I'm having problems getting various UDP based non-connection-oriented things running over my linux/iptables based firewall router using NAT. What happens is this: The application on my machine (call it A) opnes a UDP port (A) and sends packets to some remove address (call it X:X). The firewall (FW) sees these packets and the SNAT rule rewrites the source address to be FW:A. So when X gets the packets, they seem to come from FW:A. Now if X replies directly, sending packets to FW:A from X:X, all is well; the firewall sees those packets and forwards them to A:A (my machine) and all is well. If instead X forwards the packets (or just the source address FW:A) to another machine Y, and Y sends replies back to FW:A from Y:Y, the firewall doesn't forward the packets properly to A:A. Instead it drops the packets and sends ICMP port unreachable packets back to Y. Is there a way to configure the firewall/iptables to not do that and instead forward these packets to A:A? Chris Dodd cdodd@xxxxxxx
