Re: iptables udp 1195 MASQUERADE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On Tue, 14 Feb 2012, Enrique Huerta de la Fuente wrote:
> 
> > The problem is that the MASQUERADE rule does not work with UDP(1195).
> >
> > Any idea?
> 
> One thing to check out, took me a whole day to figure out with openvpn
> udp traffic to port 1194 not beeing masqueraded in some "random" cases:
> 
> Does the connection to your port 1195 exist before the filewall rulesets
> are loaded first after boot? - one packet before the rule setup may be
> enough. Once a connection with the same sip+sport+dip+dport has been
> added to the conntrack list their masquerading/SNAT/DNAT state is not
> changed again - and with the "virtual" udp connection they can stay
> alive quite a while.
> 
> Perhaps try just flushing the whole connection-tracking table and see if
> it starts working afterwards:
> 
> conntrack -F conntrack ; conntrack -F expect
> 
> c'ya
> sven-haegar
> 
> -- Three may keep a secret, if two of them are dead.
> - Ben F.

 
Hello Sven-Haegar, yes, exist the connection to port 1195 before the  firewall rulesets.

udp      17 179 src=38.124.170.14 dst=38.124.170.25 sport=1195 dport=1195 packets=496310 bytes=132295480 src=38.124.170.25 dst=38.124.170.14 sport=1195 dport=1195 packets=664491 bytes=169869224 [ASSURED] mark=0 secmark=0 use=1

I try the NOTRACK target, but I have to wait the time to live of the connection tracking to apply the new rules:

iptables -t raw -I PREROUTING -p udp --sport 1195 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --dport 1195 -j NOTRACK
iptables -t raw -I PREROUTING -p udp --dport 1195 -j NOTRACK

I wait 179 secs and ...
iptables -t raw -D PREROUTING -p udp --sport 1195 -j NOTRACK
iptables -t raw -D OUTPUT -p udp --dport 1195 -j NOTRACK
iptables -t raw -D PREROUTING -p udp --dport 1195 -j NOTRACK

With this, I can apply the rule MASQUERADE and works very well. Now, I have to install conntrack-tools for delete the connection tracking very quicly.

Thanks very much, I really appreciate your help, I was desperate because i did not know why not working.

E.Huerta
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux