[Bug 498] RTP packets are not hitting NAT table
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Mon Aug 7 16:47:56 CEST 2006
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=498
------- Additional Comments From cfilin at intermedia.net 2006-08-07 16:47 MET -------
I've looked at the conntract utility, moreover I now have my own code that
throws out connections from conntrack cache. The problem I have is different -
the "nat" table is consulted only when a packet creating a *new* conntrack
connection is arriving. This means that when the second, third and so on
packets are arriving on the same conntack connection, the "nat" table is
not consulted and it does not NAT the packets.
This is all demonstrated perferctly clear below (I have RTP traffic coming
to the interface from 85.141.210.22:9000 all the time)
1) Here's my NAT table:
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -
t nat
# Generated by iptables-save v1.3.5 on Mon Aug 7 06:57:27 2006
*nat
:PREROUTING ACCEPT [1502:275921]
:POSTROUTING ACCEPT [406:45653]
:OUTPUT ACCEPT [406:45653]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[12:1247] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[7:511] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[0:0] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -j
SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j
SNAT --to-source 204.147.182.200:18298
[0:0] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j
DNAT --to-destination 85.141.210.22:9000
COMMIT
2) Traffic from 85.141.210.22:9000 keeps coming in:
# cat /proc/net/ip_conntrack | grep src=85.141.210.22 | grep ^udp
udp 17 179 src=204.147.182.200 dst=85.141.210.22 sport=18298 dport=9000
packets=22736 bytes=1659728 src=85.141.210.22 dst=204.147.182.200 sport=9000
dport=18298 packets=22826 bytes=1666298 [ASSURED] mark=0 use=1
# cat /proc/net/ip_conntrack | grep src=85.141.210.22 | grep ^udp
udp 17 179 src=204.147.182.200 dst=85.141.210.22 sport=18298 dport=9000
packets=22821 bytes=1665933 src=85.141.210.22 dst=204.147.182.200 sport=9000
dport=18298 packets=22911 bytes=1672503 [ASSURED] mark=0 use=1
3) The count of NATed packets is unchanged (they are all zeroes):
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -
t nat
# Generated by iptables-save v1.3.5 on Mon Aug 7 06:57:48 2006
*nat
:PREROUTING ACCEPT [1502:275921]
:POSTROUTING ACCEPT [406:45653]
:OUTPUT ACCEPT [406:45653]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[12:1247] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[7:511] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[0:0] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -j
SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j
SNAT --to-source 204.147.182.200:18298
[0:0] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j
DNAT --to-destination 85.141.210.22:9000
COMMIT
4) Now I delete the conntract entry using my utility (written using
libnetfilter_conntrack-0.0.31)
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# ./delete_conntrack udp
85.141.210.22 9000 204.147.182.200 18298
TEST 6: delete conntrack (0)
The utility succeeds
5) Looking into the NAT counters again:
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -
t nat
# Generated by iptables-save v1.3.5 on Mon Aug 7 06:58:19 2006
*nat
:PREROUTING ACCEPT [1523:278443]
:POSTROUTING ACCEPT [409:45846]
:OUTPUT ACCEPT [409:45846]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[13:1320] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[8:584] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[1:73] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -
j SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j
SNAT --to-source 204.147.182.200:18298
[1:73] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j
DNAT --to-destination 85.141.210.22:9000
COMMIT
# Completed on Mon Aug 7 06:58:19 2006
Excellent, iptables NATed 1 packet of 73 bytes.
6) The traffic from 85.141.210.22:9000 keeps coming in, but the counters in NAT
table
do not change:
[root at ast-mv ~/Work/AsteriskPilot/asterisk/cpp/tests]# /sbin/iptables-save -c -
t nat
# Generated by iptables-save v1.3.5 on Mon Aug 7 06:58:22 2006
*nat
:PREROUTING ACCEPT [1528:279437]
:POSTROUTING ACCEPT [412:46074]
:OUTPUT ACCEPT [412:46074]
:pbxpilot_postrouting - [0:0]
:pbxpilot_prerouting - [0:0]
[13:1320] -A PREROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_prerouting
[8:584] -A POSTROUTING -p udp -m udp --dport 16384:32766 -j pbxpilot_postrouting
[1:73] -A pbxpilot_postrouting -d 212.113.111.225 -p udp -m udp --dport 21650 -
j SNAT --to-source 204.147.182.200:18056
[0:0] -A pbxpilot_postrouting -d 85.141.210.22 -p udp -m udp --dport 9000 -j
SNAT --to-source 204.147.182.200:18298
[1:73] -A pbxpilot_prerouting -s 85.141.210.22 -p udp -m udp --sport 9000 -j
DNAT --to-destination 212.113.111.225:21650
[0:0] -A pbxpilot_prerouting -s 212.113.111.225 -p udp -m udp --sport 21650 -j
DNAT --to-destination 85.141.210.22:9000
COMMIT
Now if I delete the conntract entry again, NAT table packet counter will
increment
again but I need to setup iptables so that *all* packets from
85.141.210.22:9000
are NATed, not only the first one opening the conntrack entry.
Is there a way to do this with iptables? If not then what is the purpose of NAT
table? What is the right way to use it?
Thanks in advance for your patience and help?
-c
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the netfilter-buglog
mailing list