[Bug 498] New: RTP packets are not hitting NAT table

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Aug 3 17:00:49 CEST 2006 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=498

           Summary: RTP packets are not hitting NAT table
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: Fedora
            Status: NEW
          Severity: major
          Priority: P2
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: cfilin at intermedia.net
                CC: cfilin at intermedia.net


greetings -

I can't seem to configure iptables to catch RTP packets in NAT chain and
process them. I searched high and low for the possible reason and didn't 
find it. I think there is a bug in iptables, below is what I think proves 
it.

The "nat" table in iptables has the following setup:

[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp]# /sbin/iptables-save -t nat -c
# Generated by iptables-save v1.3.5 on Thu Aug  3 07:16:21 2006
*nat
:PREROUTING ACCEPT [1928:347428]
:POSTROUTING ACCEPT [488:54328]
:OUTPUT ACCEPT [488:54328]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[10:1306] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[1:200] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[1:200] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[4:624] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[0:0] -A pbxpilot_postrouting -s 83.237.222.217 -p udp -m udp --sport 9000 -j 
SNAT --to-source 204.147.182.200:26864
[0:0] -A pbxpilot_postrouting -s 212.113.111.225 -p udp -m udp --sport 26864 -j 
SNAT --to-source 204.147.182.200:9000
[1:112] -A pbxpilot_postrouting -s 83.237.222.217 -p udp -m udp --sport 9001 -j 
SNAT --to-source 204.147.182.200:26865
[0:0] -A pbxpilot_postrouting -s 212.113.111.225 -p udp -m udp --sport 26865 -j 
SNAT --to-source 204.147.182.200:9001
[0:0] -A pbxpilot_prerouting -s 83.237.222.217 -p udp -m udp --sport 9000 -j 
DNAT --to-destination 212.113.111.225:26864
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 26864 -j 
DNAT --to-destination 83.237.222.217:9000
[1:112] -A pbxpilot_prerouting -s 83.237.222.217 -p udp -m udp --sport 9001 -j 
DNAT --to-destination 212.113.111.225:26865
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 26865 -j 
DNAT --to-destination 83.237.222.217:9001
COMMIT
# Completed on Thu Aug  3 07:16:21 2006

This shows that iptables are supposed to catch in chain PREROUTING UDP 
packets from ip 83.237.222.217 destined to ports 16384:32766 and NAT them. 
Check out the packet counts in PREROUTING chain. They are [10:1306]

The next command shows that I do get such UDP packets:

[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp]# /usr/sbin/tcpdump -n -v host 
83.237.222.217 and proto UDP
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
07:16:27.327194 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP 
(17), length: 73) 204.147.182.200.30266 > 83.237.222.217.9000: UDP, length 45
07:16:27.328711 IP (tos 0x0, ttl 113, id 50003, offset 0, flags [none], proto: 
UDP (17), length: 73) 83.237.222.217.9000 > 204.147.182.200.30266: UDP, length 
45
07:16:27.347693 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP 
(17), length: 73) 204.147.182.200.30266 > 83.237.222.217.9000: UDP, length 45
07:16:27.348582 IP (tos 0x0, ttl 113, id 50004, offset 0, flags [none], proto: 
UDP (17), length: 73) 83.237.222.217.9000 > 204.147.182.200.30266: UDP, length 
45
07:16:27.367129 IP (tos 0x0, ttl 113, id 50005, offset 0, flags [none], proto: 
UDP (17), length: 73) 83.237.222.217.9000 > 204.147.182.200.30266: UDP, length 
45
07:16:27.369193 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP 
(17), length: 73) 204.147.182.200.30266 > 83.237.222.217.9000: UDP, length 45
....
(some output was cut for brevity)
....
76 packets captured
153 packets received by filter
0 packets dropped by kernel

The next command shows iptables configuration with bytes and packets counters
again:

[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp]# /sbin/iptables-save -t nat -c
# Generated by iptables-save v1.3.5 on Thu Aug  3 07:16:31 2006
*nat
:PREROUTING ACCEPT [1933:348532]
:POSTROUTING ACCEPT [489:54388]
:OUTPUT ACCEPT [489:54388]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[10:1306] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[1:200] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[1:200] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[4:624] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[0:0] -A pbxpilot_postrouting -s 83.237.222.217 -p udp -m udp --sport 9000 -j 
SNAT --to-source 204.147.182.200:26864
[0:0] -A pbxpilot_postrouting -s 212.113.111.225 -p udp -m udp --sport 26864 -j 
SNAT --to-source 204.147.182.200:9000
[1:112] -A pbxpilot_postrouting -s 83.237.222.217 -p udp -m udp --sport 9001 -j 
SNAT --to-source 204.147.182.200:26865
[0:0] -A pbxpilot_postrouting -s 212.113.111.225 -p udp -m udp --sport 26865 -j 
SNAT --to-source 204.147.182.200:9001
[0:0] -A pbxpilot_prerouting -s 83.237.222.217 -p udp -m udp --sport 9000 -j 
DNAT --to-destination 212.113.111.225:26864
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 26864 -j 
DNAT --to-destination 83.237.222.217:9000
[1:112] -A pbxpilot_prerouting -s 83.237.222.217 -p udp -m udp --sport 9001 -j 
DNAT --to-destination 212.113.111.225:26865
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 26865 -j 
DNAT --to-destination 83.237.222.217:9001
COMMIT
# Completed on Thu Aug  3 07:16:31 2006
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp]#

The counts of packets and bytes in PREROUTING chain is [10:1306] again, it did 
not change and the packets were not routed.

I tried all kinds of things to make it work and was not able to - I started 
and stopped IP tables services, I've read "man iptables" and googled on 
iptables - nothing that would have pointed me to the reason. I found another 
similar bug in iptables - 
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=421

So I think that there really is a bug in iptables. 

Please let me know if you need me to do any tests to resolve the problem.

Thanks

-c

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list