Philip Schaten <philip@xxxxxxxxxxxxxx> wrote: > Now, this works fine for tcp, i.e. I can establish a tcp connection to > $nat_ip:7777 and talk to my laptop (10.10.3.101) from the outside. > For udp, only the first packet arrives at the destination. Adding "ip daddr > 10.10.3.101 return" to the chain in_ext solves this problem. > This brings me to the following conclusion: > > UDP portforwarding in our setup, using packet marks, fails because only the > first packet of a 'connection' is marked ( 0x0008 = portforward ) as it hits > the NAT prerouting chain. Thats weird, NAT type hooks are always only consulted for the first packet in a connection only. Given the ruleset you have shown TCP should "fail" too. The normal way to accept packets from a nat'ed connection is something like 'ct status dnat accept'.
