UDP port redirect

Thiago Lucas thiago at powers.com.br
Wed Aug 1 14:52:26 CEST 2007 

Покотиленко Костик <casper at meteor.dp.ua> gravou em 01/08/2007 04:05:05:

> В Вто, 31/07/2007 в 20:04 -0300, thiago at powers.com.br пишет:
> > Hello all,
> > 
> > I got a problem when redirecting a UDP port. The rules are:
> > 
> > # TCP port redirect - working fine:
> > 
> > iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 
22 -j
> > DNAT -m state --state NEW --to <int_ip>:1194
> > iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m 
state
> > --state NEW -j ACCEPT
> 
> "-m state --state NEW" - what is this for? Nat table only sees packets
> initiating connection, isn't it?

You got it right, there's no need for that. I made that change in a 
previous search & replace.. forget about it.


> 
> > # UDP port redirect - not going through
> > 
> > iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 
22 -j
> > DNAT -m state --state NEW --to <int_ip>:1194
> > iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m 
state
> > --state NEW -j ACCEPT
> 
> You accepting NEW packets in filter table, consider make sure rest would
> pass through.

Good remind, but it is stateful, for sure.

> 
> > I hit the nat/prerouting rule, but never reach the filter/forward one.
> > As you can see the only change I've made from the tcp rule to udp 
rule, is
> > just the matching protocol.
> > I can debug it a little more, but also would like to hear from you 
guys if
> > you have any hints.
> 
> Also, I've experiensed situation for UDP when nat rules doesn't match 
because
> there was such connection before the rule inserted and conntrack already 
saw
> it and has it counted. UDP connection tracking (since it's a 
connectionless
> protocol) goes by src/dst ports. Packets can belong to different
> "connections". The solution for me was to stop UDP connection for 
several
> minutes to make conntrack forget it and then try again. 

Had the same (not pleasant) experience with that before, too. Conntrack 
tunables in /proc/sys/net/ipv4/netfilter/ helped me a lot.


Thanks anyway !

More information about the netfilter mailing list