Greetings -
I setup iptables to NAT certain UDP traffic from 85.141.210.22:9000
to another IP (in the example below it is 212.113.111.225:21650).
This is what I am doing:
1. I setup NAT table using iptables-restore program as follows:
[root@ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -t nat
# Generated by iptables-save v1.3.5 on Mon Aug 7 06:57:27 2006
*nat
:PREROUTING ACCEPT [1502:275921]
:POSTROUTING ACCEPT [406:45653]
:OUTPUT ACCEPT [406:45653]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[12:1247] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[7:511] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[0:0] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -j SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j SNAT --to-source 204.147.182.200:18298
[0:0] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j DNAT --to-destination 85.141.210.22:9000
COMMIT
Please check out the bytes and packet counters in [] - they are all zeroes
2. The UPD traffic from 85.141.210.22:9000 keeps coming in:
# cat /proc/net/ip_conntrack | grep src=85.141.210.22 | grep ^udp
udp 17 179 src=204.147.182.200 dst=85.141.210.22 sport=18298 dport=9000
packets=22736 bytes=1659728 src=85.141.210.22 dst=204.147.182.200 sport=9000
dport=18298 packets=22826 bytes=1666298 [ASSURED] mark=0 use=1
# cat /proc/net/ip_conntrack | grep src=85.141.210.22 | grep ^udp
udp 17 179 src=204.147.182.200 dst=85.141.210.22 sport=18298 dport=9000
packets=22821 bytes=1665933 src=85.141.210.22 dst=204.147.182.200 sport=9000
dport=18298 packets=22911 bytes=1672503 [ASSURED] mark=0 use=1
3. However the counts of NATed packets are unchanged:
[root@ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -t nat
# Generated by iptables-save v1.3.5 on Mon Aug 7 06:57:48 2006
*nat
:PREROUTING ACCEPT [1502:275921]
:POSTROUTING ACCEPT [406:45653]
:OUTPUT ACCEPT [406:45653]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[12:1247] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[7:511] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[0:0] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -j SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j SNAT --to-source 204.147.182.200:18298
[0:0] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j DNAT --to-destination 85.141.210.22:9000
COMMIT
4) I know that NAT table is consulted only when it sees the first packet opening up a
connection is conntrack cache, so I used http://www.netfilter.org/projects/libnetfilter_conntrack/index.html
to write a little utility wiping out connections from conntrack. Here I ran it:
[root@ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# ./delete_conntrack udp 85.141.210.22 9000 204.147.182.200 18298
TEST 6: delete conntrack (0)
The utility succeeds
5) Looking into the NAT counters again:
[root@ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -t nat
# Generated by iptables-save v1.3.5 on Mon Aug 7 06:58:19 2006
*nat
:PREROUTING ACCEPT [1523:278443]
:POSTROUTING ACCEPT [409:45846]
:OUTPUT ACCEPT [409:45846]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[13:1320] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[8:584] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[1:73] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -
j SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j
SNAT --to-source 204.147.182.200:18298
[1:73] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j
DNAT --to-destination 85.141.210.22:9000
COMMIT
# Completed on Mon Aug 7 06:58:19 2006
Excellent, iptables NATed 1 packet of 73 bytes!
6) The traffic from 85.141.210.22:9000 keeps coming in, but the counters in NAT
table do not change:
[root@ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -t nat
# Generated by iptables-save v1.3.5 on Mon Aug 7 06:58:22 2006
*nat
:PREROUTING ACCEPT [1528:279437]
:POSTROUTING ACCEPT [412:46074]
:OUTPUT ACCEPT [412:46074]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[13:1320] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[8:584] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[1:73] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -j SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j SNAT --to-source 204.147.182.200:18298
[1:73] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j DNAT --to-destination 85.141.210.22:9000
COMMIT
Now if I delete the conntract entry again, NAT table packet counter will increment
again but I need to setup iptables so that *all* packets from 85.141.210.22:9000
are NATed, not only the first one opening the conntrack entry.
Is there a way to do this with iptables? If not then what is the purpose of NAT table?
What is the right way to use it?
Thanks in advance
Constantine
