iptables and udp socket
hidden at balabit.hu
Wed Jul 20 16:36:05 CEST 2005
2005-07-19, k keltezéssel 19.23-kor Keserű Kornél ezt írta:
> I'm quite new to netfilter/iptables, I have been using it for some weeks.
> I would like to ask if it may lead to undeterministic behaviour of iptables
> when an udp socket is opened on an IP:port while in parallel iptables
> rules (NAT) are setup that forward all incoming packets received on
> that IP:port to a different destination. So I just want to use the socket
> for sending out packets on it, while incoming packets should be
> forwarded to other destination. But sometimes the packets are
> received on the socket, sometimes they are forwarded. So iptables
> don't have always the expected effect.
This probably derives from the internals of Netfilter connection
tracking and NAT. In Netfilter, the NAT subsystem is completely based on
the conntrack subsystem. That is, when a packet belonging to a currently
unknown connection is detected, the conntrack system creates a new
connection. Later the NAT subsystem determines the mapping to be applied
onto that connection by looking up the appropriate iptables table/chain.
The final mapping is then stored in the conntrack entry.
Now imagine the following scenario: you open your 'sending only'
socket (IP_A:PORT_A), and send a UDP packet to IP_B:PORT_B. Obviously,
no mapping will be done by the NAT subsystem, as you redirect incoming
packets only. Now let's see what happens when a packet from IP_B:PORT_B
comes back to IP_A:PORT_A. Since that source-destination pair matches
the conntrack entry of the connection you've just created by sending the
first packet, the conntrack system thinks it simply belongs to that
connection. As there are no NAT mappings associated with that
connection, no address translation will happen.
So IMHO this method is flawed, you won't be able to get consistent and
reliable operation this way...
More information about the netfilter