Re: [LARTC] Troubles DNATing UDP -

To: lartc@vger.kernel.org
Subject: Re: [LARTC] Troubles DNATing UDP
Date: Fri, 10 Nov 2006 11:37:36 +0000	[thread overview]
Message-ID: <1163158657.4061.3.camel@localhost.localdomain> (raw)
In-Reply-To: <1162910458.32208.44.camel@localhost.localdomain>

Did my message hit the list?

Once again, is there any difference in DNAT'ing TCP and UDP, maybe there
is difference related to different kinds/types of UDP packet?

В Вто, 07/11/2006 в 16:40 +0200, Покотиленко Костик пишет:
> Hi.
> 
> I have strange troubles with DNATing UDP packets.
> 
> The situation:
> 
> 1. We have local network 10.10.0.0/16
> 2. We have a "server network" 192.168.1.0/25 connected with local
> network by a router 10.10.100.1 (other ip 192.168.1.1).
> 3. Web server is located at 192.168.1.2
> 4. There are HW pingers in the net 10.10.0.0/16 whose do ping
> 10.10.100.1 every second. The ping is the UDP packet with both source
> and destination ports set to 4000.
> 5. There is software to decode ping packets and produce/update html
> report. 
> 
> I want to install the ping-analizing software at the web-server
> (192.168.1.2) and connect it with localy running apache to have a web
> page with ping-report.
> 
> As the pingers ping (send UDP packets) to 10.10.100.1 I was trying to
> redirect them to 192.168.1.2 by:
> 
> iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j DNAT
> --to-destination 192.168.1.2:4000
> iptables -I FORWARD -p udp --dport 4000 -d 192.168.1.2 -j ACCEPT
> 
> Neither of those rules not catching the packets, they all reach
> 10.10.100.1 INPUT chain. Those rule counters are zero.
> 
> If I do:
> 
> iptables -t mangle -I PREROUTING 1 -p udp --dport 4000
> 
> this rule catch needed packets, but not in NAT tables! Why?
> 
> I tryed same with TCP:
> 
> iptables -t nat -I PREROUTING 1 -p tcp --dport 4000 -j DNAT
> --to-destination 192.168.1.2:4000
> iptables -I FORWARD -p tcp --dport 4000 -d 192.168.1.2 -j ACCEPT
> 
> and this works fine, I can see packets at 192.168.1.2 when doing telnet
> 10.10.100.1 4000 from the localnet.
> 
> Here is tcpdump from 10.10.100.1:
> 
> # tcpdump -i br0 port 4000 -n
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
> 16:36:53.202130 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74
> 16:36:54.092413 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74
> 16:36:54.143128 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74
> 16:36:55.291886 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74
> 16:36:55.545621 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74
> 16:36:55.743096 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74
> 
> Once again, all those packets reach INPUT chain, rules in -t nat -I
> PREROUTING not working.
> 
> So here is the question: Does the UDP is being DNAT'ed differently
> comparing with TCP? What is the difference? How can I DNAT them?
> 
> Thanks in advance.
> 
> P.S. This king of UDP ping doesn't require responce, its just to see
> which remote point is still alive.
> 
-- 
Покотиленко Костик <casper@meteor.dp.ua>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc