thiago@xxxxxxxxxxxxx wrote:
Hello all, I got a problem when redirecting a UDP port. The rules are: # TCP port redirect - working fine: iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 22 -j DNAT -m state --state NEW --to <int_ip>:1194 iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m state --state NEW -j ACCEPT # UDP port redirect - not going through iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j DNAT -m state --state NEW --to <int_ip>:1194 iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state --state NEW -j ACCEPT I hit the nat/prerouting rule, but never reach the filter/forward one. As you can see the only change I've made from the tcp rule to udp rule, is just the matching protocol. I can debug it a little more, but also would like to hear from you guys if you have any hints.
Not sure why this doesn't work, but you don't need the state match in the NAT rule.
iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j DNAT --to <int_ip>:1194 iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state --state NEW -j ACCEPT should work. You may want to add an explicit LOG rule: iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -j LOG --log-prefix "WRONG: " or even iptables -A FORWARD -p udp --dport 1194 -j LOG --log-prefix "WRONG: " after the ACCEPT rule to debug this. M4