В Вто, 31/07/2007 в 20:04 -0300, thiago@xxxxxxxxxxxxx пишет: > Hello all, > > I got a problem when redirecting a UDP port. The rules are: > > # TCP port redirect - working fine: > > iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 22 -j > DNAT -m state --state NEW --to <int_ip>:1194 > iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m state > --state NEW -j ACCEPT "-m state --state NEW" - what is this for? Nat table only sees packets initiating connection, isn't it? > # UDP port redirect - not going through > > iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j > DNAT -m state --state NEW --to <int_ip>:1194 > iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state > --state NEW -j ACCEPT You accepting NEW packets in filter table, consider make sure rest would pass through. > I hit the nat/prerouting rule, but never reach the filter/forward one. > As you can see the only change I've made from the tcp rule to udp rule, is > just the matching protocol. > I can debug it a little more, but also would like to hear from you guys if > you have any hints. Also, I've experiensed situation for UDP when nat rules doesn't match because there was such connection before the rule inserted and conntrack already saw it and has it counted. UDP connection tracking (since it's a connectionless protocol) goes by src/dst ports. Packets can belong to different "connections". The solution for me was to stop UDP connection for several minutes to make conntrack forget it and then try again. > iptables v1.3.8 > 2.6.16.36-default > > Thanks ! > > Thiago. > > > -- Покотиленко Костик <casper@xxxxxxxxxxxx>