On Thu, 2011-10-27 at 08:45 +0200, Ronald wrote: > >> > I assume that you have the relevant rules for the returning packets? > >> > >> What you see above is the entire iptables configuration that is > >> relevant for port redirection. I made these based on examples from the > >> internet. In order to redirect a port, you have to apply 1 rule to the > >> client and 1 rule to the server. > > > > For packets going in one direction, yes. But surely you need similar > > rules from the server back to the client? That said, it's probably > > working (with the cable connection) because you're not doing it at > > either end, so the packets are using the default ports. > > No I don't. If I redirect packets from the client that originally go > to udp/500 to udp/56301 (for example). Okay, I don't know VPN, but assuming that the return packets originate from the server's port 500, then these will not have the port number changed using your rules. > I can even add the following > line to my server. (This is in the case I use port redirection. Then I > use this line to make it an effective security enhancement): > > iptables -I PREROUTING -t raw -p udp --dport 500 -j DROP Yes, but the packets originating from the server will not pass through the PREROUTING chain. > If I use a cable, the connection succeeds. If port redirection would > fail, this rule would catch it and make a connection impossible. So I > can conclude that port redirection works as expected when using a > cable. Maybe your cable connection has a firewall that is only allowing related packets to return? Thus, if it sees the packets destined to the server for port 56301 and returning from port 500 then it may not associate them and thus drop them. > Besides, I designed my netfilter configuration to not differentiate > between interfaces. I use the addrtype extension, works better. I like that, but remember that any packets leaving the server will only traverse the OUTPUT and POSTROUTING chains. They therefore are not affected by any of the iptables rules that you previously posted. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
