iptables and udp socket
hidden at balabit.hu
Mon Aug 1 17:44:01 CEST 2005
2005-08-01, h keltezéssel 17.10-kor Keserű Kornél ezt írta:
> In the meantime I played with connection tracking and I found out that
> my iptables rules usually work parallel with the UDP traffic on the local
> socket if I set ip_conntrack_udp_timeout to 0. But for me it seems, it
> doesn't really disable udp connection tracking, does it? I think, it only
> sets the timeout to a very low value but the connection is still tracked,
> therefore it may happen that sometimes iptables will fail in my scenario.
> My problem is that I cannot avoid using UDP socket and iptables rule
> installed on the same IP:port.
> Is there a better way to "disable" UDP connection tracking and
> therefore to realize stateless behaviour of UDP in my scenario?
The problem is that Netfilter has absolutely no stateless NAT support.
Once you disable connection tracking for UDP (which you could do with an
appropriate rule in 'raw' table using the 'NOTRACK' target), you won't
be able to NAT that connection...
More information about the netfilter