Hi Krisztian, thank you for your answer! In the meantime I played with connection tracking and I found out that my iptables rules usually work parallel with the UDP traffic on the local socket if I set ip_conntrack_udp_timeout to 0. But for me it seems, it doesn't really disable udp connection tracking, does it? I think, it only sets the timeout to a very low value but the connection is still tracked, therefore it may happen that sometimes iptables will fail in my scenario. My problem is that I cannot avoid using UDP socket and iptables rule installed on the same IP:port. Is there a better way to "disable" UDP connection tracking and therefore to realize stateless behaviour of UDP in my scenario? Bye, Kornel Keseru Hi Kornel, 2005-07-19, k keltezéssel 19.23-kor Keserű Kornél ezt írta: > I'm quite new to netfilter/iptables, I have been using it for some weeks. > I would like to ask if it may lead to undeterministic behaviour of iptables > when an udp socket is opened on an IP:port while in parallel iptables > rules (NAT) are setup that forward all incoming packets received on > that IP:port to a different destination. So I just want to use the socket > for sending out packets on it, while incoming packets should be > forwarded to other destination. But sometimes the packets are > received on the socket, sometimes they are forwarded. So iptables > don't have always the expected effect. This probably derives from the internals of Netfilter connection tracking and NAT. In Netfilter, the NAT subsystem is completely based on the conntrack subsystem. That is, when a packet belonging to a currently unknown connection is detected, the conntrack system creates a new connection. Later the NAT subsystem determines the mapping to be applied onto that connection by looking up the appropriate iptables table/chain. The final mapping is then stored in the conntrack entry. Now imagine the following scenario: you open your 'sending only' socket (IP_A:PORT_A), and send a UDP packet to IP_B:PORT_B. Obviously, no mapping will be done by the NAT subsystem, as you redirect incoming packets only. Now let's see what happens when a packet from IP_B:PORT_B comes back to IP_A:PORT_A. Since that source-destination pair matches the conntrack entry of the connection you've just created by sending the first packet, the conntrack system thinks it simply belongs to that connection. As there are no NAT mappings associated with that connection, no address translation will happen. So IMHO this method is flawed, you won't be able to get consistent and reliable operation this way... -- Regards, Krisztian Kovacs _______________________________________________________________________ [freemail] extra 1GB-os postafiókkal, Önnek már van? http://freemail.hu
