Hi Kornel, 2005-07-19, k keltezéssel 19.23-kor Keserű Kornél ezt írta: > I'm quite new to netfilter/iptables, I have been using it for some weeks. > I would like to ask if it may lead to undeterministic behaviour of iptables > when an udp socket is opened on an IP:port while in parallel iptables > rules (NAT) are setup that forward all incoming packets received on > that IP:port to a different destination. So I just want to use the socket > for sending out packets on it, while incoming packets should be > forwarded to other destination. But sometimes the packets are > received on the socket, sometimes they are forwarded. So iptables > don't have always the expected effect. This probably derives from the internals of Netfilter connection tracking and NAT. In Netfilter, the NAT subsystem is completely based on the conntrack subsystem. That is, when a packet belonging to a currently unknown connection is detected, the conntrack system creates a new connection. Later the NAT subsystem determines the mapping to be applied onto that connection by looking up the appropriate iptables table/chain. The final mapping is then stored in the conntrack entry. Now imagine the following scenario: you open your 'sending only' socket (IP_A:PORT_A), and send a UDP packet to IP_B:PORT_B. Obviously, no mapping will be done by the NAT subsystem, as you redirect incoming packets only. Now let's see what happens when a packet from IP_B:PORT_B comes back to IP_A:PORT_A. Since that source-destination pair matches the conntrack entry of the connection you've just created by sending the first packet, the conntrack system thinks it simply belongs to that connection. As there are no NAT mappings associated with that connection, no address translation will happen. So IMHO this method is flawed, you won't be able to get consistent and reliable operation this way... -- Regards, Krisztian Kovacs
