Покотиленко Костик <casper@xxxxxxxxxxxx> gravou em 01/08/2007 04:05:05: > В Вто, 31/07/2007 в 20:04 -0300, thiago@xxxxxxxxxxxxx пишет: > > Hello all, > > > > I got a problem when redirecting a UDP port. The rules are: > > > > # TCP port redirect - working fine: > > > > iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 22 -j > > DNAT -m state --state NEW --to <int_ip>:1194 > > iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m state > > --state NEW -j ACCEPT > > "-m state --state NEW" - what is this for? Nat table only sees packets > initiating connection, isn't it? You got it right, there's no need for that. I made that change in a previous search & replace.. forget about it. > > > # UDP port redirect - not going through > > > > iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j > > DNAT -m state --state NEW --to <int_ip>:1194 > > iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state > > --state NEW -j ACCEPT > > You accepting NEW packets in filter table, consider make sure rest would > pass through. Good remind, but it is stateful, for sure. > > > I hit the nat/prerouting rule, but never reach the filter/forward one. > > As you can see the only change I've made from the tcp rule to udp rule, is > > just the matching protocol. > > I can debug it a little more, but also would like to hear from you guys if > > you have any hints. > > Also, I've experiensed situation for UDP when nat rules doesn't match because > there was such connection before the rule inserted and conntrack already saw > it and has it counted. UDP connection tracking (since it's a connectionless > protocol) goes by src/dst ports. Packets can belong to different > "connections". The solution for me was to stop UDP connection for several > minutes to make conntrack forget it and then try again. Had the same (not pleasant) experience with that before, too. Conntrack tunables in /proc/sys/net/ipv4/netfilter/ helped me a lot. Thanks anyway !
