[Bug 498] RTP packets are not hitting NAT table

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Mon Aug 7 16:47:56 CEST 2006


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=498





------- Additional Comments From cfilin at intermedia.net  2006-08-07 16:47 MET -------
I've looked at the conntract utility, moreover I now have my own code that 
throws out connections from conntrack cache. The problem I have is different - 
the "nat" table is consulted only when a packet creating a *new* conntrack
connection is arriving. This means that when the second, third and so on 
packets are arriving on the same conntack connection, the "nat" table is 
not consulted and it does not NAT the packets. 

This is all demonstrated perferctly clear below (I have RTP traffic coming
to the interface from 85.141.210.22:9000 all the time)

1) Here's my NAT table:
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -
t nat
# Generated by iptables-save v1.3.5 on Mon Aug  7 06:57:27 2006
*nat
:PREROUTING ACCEPT [1502:275921]
:POSTROUTING ACCEPT [406:45653]
:OUTPUT ACCEPT [406:45653]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[12:1247] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[7:511] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[0:0] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -j 
SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j 
SNAT --to-source 204.147.182.200:18298
[0:0] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j 
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j 
DNAT --to-destination 85.141.210.22:9000
COMMIT

2) Traffic from 85.141.210.22:9000 keeps coming in:

# cat /proc/net/ip_conntrack | grep src=85.141.210.22 | grep ^udp
udp      17 179 src=204.147.182.200 dst=85.141.210.22 sport=18298 dport=9000 
packets=22736 bytes=1659728 src=85.141.210.22 dst=204.147.182.200 sport=9000 
dport=18298 packets=22826 bytes=1666298 [ASSURED] mark=0 use=1

# cat /proc/net/ip_conntrack | grep src=85.141.210.22 | grep ^udp
udp      17 179 src=204.147.182.200 dst=85.141.210.22 sport=18298 dport=9000 
packets=22821 bytes=1665933 src=85.141.210.22 dst=204.147.182.200 sport=9000 
dport=18298 packets=22911 bytes=1672503 [ASSURED] mark=0 use=1

3) The count of NATed packets is unchanged (they are all zeroes):
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -
t nat
# Generated by iptables-save v1.3.5 on Mon Aug  7 06:57:48 2006
*nat
:PREROUTING ACCEPT [1502:275921]
:POSTROUTING ACCEPT [406:45653]
:OUTPUT ACCEPT [406:45653]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[12:1247] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[7:511] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[0:0] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -j 
SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j 
SNAT --to-source 204.147.182.200:18298
[0:0] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j 
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j 
DNAT --to-destination 85.141.210.22:9000
COMMIT

4) Now I delete the conntract entry using my utility (written using 
libnetfilter_conntrack-0.0.31)

[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# ./delete_conntrack udp 
85.141.210.22 9000 204.147.182.200 18298
TEST 6: delete conntrack (0)

The utility succeeds

5) Looking into the NAT counters again:
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -
t nat
# Generated by iptables-save v1.3.5 on Mon Aug  7 06:58:19 2006
*nat
:PREROUTING ACCEPT [1523:278443]
:POSTROUTING ACCEPT [409:45846]
:OUTPUT ACCEPT [409:45846]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[13:1320] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[8:584] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[1:73] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -
j SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j 
SNAT --to-source 204.147.182.200:18298
[1:73] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j 
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j 
DNAT --to-destination 85.141.210.22:9000
COMMIT
# Completed on Mon Aug  7 06:58:19 2006

Excellent, iptables NATed 1 packet of 73 bytes.

6) The traffic from 85.141.210.22:9000 keeps coming in, but the counters in NAT 
table
   do not change:
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -
t nat
# Generated by iptables-save v1.3.5 on Mon Aug  7 06:58:22 2006
*nat
:PREROUTING ACCEPT [1528:279437]
:POSTROUTING ACCEPT [412:46074]
:OUTPUT ACCEPT [412:46074]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[13:1320] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[8:584] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[1:73] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -
j SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j 
SNAT --to-source 204.147.182.200:18298
[1:73] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j 
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j 
DNAT --to-destination 85.141.210.22:9000
COMMIT

Now if I delete the conntract entry again, NAT table packet counter will 
increment
again but I need to setup iptables so that *all* packets from 
85.141.210.22:9000 
are NATed, not only the first one opening the conntrack entry.

Is there a way to do this with iptables? If not then what is the purpose of NAT
table? What is the right way to use it?

Thanks in advance for your patience and help? 

-c

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



More information about the netfilter-buglog mailing list