Hello! Seems like you have igmp-snooping issue. Run tcpdump and check the igmp-traffic: you should see igmp-join at your daemon start and periodical igmp-queries and replied igmp-reports. Allow input igmp-packets in your ruleset. 2015-10-04 19:13 GMT+03:00 Aleksander Morgado <aleksander@xxxxxxxxxxxxx>: > Hey, > > I'm trying to debug an issue where UDP multicast traffic isn't > properly reaching a UDP server daemon behind iptables. The issue > doesn't happen with iptables disabled. > > The system is a virtual machine which has a br0 bridge interface > composed of 2 eths. The br0 interface has an IP address, while the > eths don't. It's a CentOS 6.2 server with iptables 1.4.7, ebtables > 2.0.9 and kernel 2.6.32-220.el6.i686. > > The input chain is set to drop by default, and I'm just adding one rule: > -A INPUT -p udp -d 239.25.90.6 --dport 25906 -j ACCEPT > > Now, as soon as I start the UDP server daemon, packets will flow > through iptables nicely, but only for some 4 mins and 20s (!approx, > not always exactly that). After that, no more packets are received in > the UDP server, and no packets are shown as being dropped in iptables > (as if the packets didn't arrive iptables). > > It looks like the 4mins and 20s limit is to be counted from when the > UDP server daemon starts; if I add the routing rule e.g. 5 mins after > the UDP server starts, no traffic would flow. The UDP server daemon is > just binding to the multicast group and port, and joining the > multicast group operation (IP_ADD_MEMBERSHIP). > > Interestingly, If I run a tcpdump on that interface while I'm testing, > the packets will always arrive iptables, pass the rule I added and > flow to the UDP server socket; i.e. traffic doesn't stop after 4mins > 20s. > > Any hint on what could be happening? > > -- > Aleksander > https://aleksander.es > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Anton. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
