Pascal Hambourg wrote:
Hello,
sean darcy a écrit :
sean darcy wrote:
I'm trying to setup port forwarding for a VOIP server that uses IAX
packets, port 4569:
+ /sbin/iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4569 -j
DNAT --to 10.10.10.180:4569
+ /sbin/iptables -A FORWARD -p udp -m state --state NEW -d
10.10.10.180 --dport 4569 -j ACCEPT
but the packets aren't showing up at 10.10.10.180.
[...]
Well, they're going to input.
[...]
In other words, it's port forwarding all iax except from 76.
This happens probably because your NAT box started to receive UDP/4569
packets from 76.zzz.xxx.yyy before the DNAT rule was created and
continually receives packets since then. The netfilter connection
tracking created a conntrack entry without any NAT operation so
subsequent UDP/4569 packets from 76.zzz.xxx.yyy use that same conntrack
entry and skip the nat chains, until the entry expires. If the box
continally sees UDP/4569 packets from 76.zzz.xxx.yyy, then the entry
never expires. If you pull the ethernet wire off eth0 for a couple of
minutes, the conntrack entry should expire.
Rationale : don't allow any traffic before all rules are created. A
simple way to achieve it is to create the rules before network
interfaces are UP.
--
I was able to shut down the 76. machine, reboot the server, and it
worked. So, thanks.
But all this leaves me puzzled.
My server does NOT generate 4569 packets, and iptables INPUT drops all
from eth0, except for ssh and ESTABLISHED. So how could there be a
conntrack entry?
Is there a way to DNAT traffic before it reaches the conntrack entry?
Can I change the destination in raw/PREROUTING?
Is there a way to flush the conntrack entry? I'd reallly like not to
take the network down if this happens again. It's a very remote machine,
and if ssh didn't come up again, I'd need a new job.
Thanks for the help.
sean
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
