Hello,
sean darcy a écrit :
sean darcy wrote:
I'm trying to setup port forwarding for a VOIP server that uses IAX
packets, port 4569:
+ /sbin/iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4569 -j
DNAT --to 10.10.10.180:4569
+ /sbin/iptables -A FORWARD -p udp -m state --state NEW -d
10.10.10.180 --dport 4569 -j ACCEPT
but the packets aren't showing up at 10.10.10.180.
[...]
Well, they're going to input.
[...]
In other words, it's port forwarding all iax except from 76.
This happens probably because your NAT box started to receive UDP/4569
packets from 76.zzz.xxx.yyy before the DNAT rule was created and
continually receives packets since then. The netfilter connection
tracking created a conntrack entry without any NAT operation so
subsequent UDP/4569 packets from 76.zzz.xxx.yyy use that same conntrack
entry and skip the nat chains, until the entry expires. If the box
continally sees UDP/4569 packets from 76.zzz.xxx.yyy, then the entry
never expires. If you pull the ethernet wire off eth0 for a couple of
minutes, the conntrack entry should expire.
Rationale : don't allow any traffic before all rules are created. A
simple way to achieve it is to create the rules before network
interfaces are UP.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
