From: Enrique Huerta de la Fuente <ehuerta@ixer.mx>
To: Sven-Haegar Koch <haegar@sdinet.de>
Cc: SamLT <sam@sltosis.org>,
netfilter@vger.kernel.org, Andrew Beverley <andy@andybev.com>
Subject: Re: iptables udp 1195 MASQUERADE
Date: Wed, 15 Feb 2012 12:04:38 -0600 (CST) [thread overview]
Message-ID: <23836786.3322.1329329078381.JavaMail.root@ixer.mx> (raw)
In-Reply-To: <25775146.3320.1329329075047.JavaMail.root@ixer.mx>
> On Tue, 14 Feb 2012, Enrique Huerta de la Fuente wrote:
>
> > The problem is that the MASQUERADE rule does not work with UDP(1195).
> >
> > Any idea?
>
> One thing to check out, took me a whole day to figure out with openvpn
> udp traffic to port 1194 not beeing masqueraded in some "random" cases:
>
> Does the connection to your port 1195 exist before the filewall rulesets
> are loaded first after boot? - one packet before the rule setup may be
> enough. Once a connection with the same sip+sport+dip+dport has been
> added to the conntrack list their masquerading/SNAT/DNAT state is not
> changed again - and with the "virtual" udp connection they can stay
> alive quite a while.
>
> Perhaps try just flushing the whole connection-tracking table and see if
> it starts working afterwards:
>
> conntrack -F conntrack ; conntrack -F expect
>
> c'ya
> sven-haegar
>
> -- Three may keep a secret, if two of them are dead.
> - Ben F.
Hello Sven-Haegar, yes, exist the connection to port 1195 before the firewall rulesets.
udp 17 179 src=38.124.170.14 dst=38.124.170.25 sport=1195 dport=1195 packets=496310 bytes=132295480 src=38.124.170.25 dst=38.124.170.14 sport=1195 dport=1195 packets=664491 bytes=169869224 [ASSURED] mark=0 secmark=0 use=1
I try the NOTRACK target, but I have to wait the time to live of the connection tracking to apply the new rules:
iptables -t raw -I PREROUTING -p udp --sport 1195 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --dport 1195 -j NOTRACK
iptables -t raw -I PREROUTING -p udp --dport 1195 -j NOTRACK
I wait 179 secs and ...
iptables -t raw -D PREROUTING -p udp --sport 1195 -j NOTRACK
iptables -t raw -D OUTPUT -p udp --dport 1195 -j NOTRACK
iptables -t raw -D PREROUTING -p udp --dport 1195 -j NOTRACK
With this, I can apply the rule MASQUERADE and works very well. Now, I have to install conntrack-tools for delete the connection tracking very quicly.
Thanks very much, I really appreciate your help, I was desperate because i did not know why not working.
E.Huerta
next parent reply other threads:[~2012-02-15 18:04 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <25775146.3320.1329329075047.JavaMail.root@ixer.mx>
2012-02-15 18:04 ` Enrique Huerta de la Fuente [this message]
[not found] <5260549.3200.1329242426858.JavaMail.root@ixer.mx>
2012-02-14 18:05 ` iptables udp 1195 MASQUERADE Enrique Huerta de la Fuente
2012-02-14 22:41 ` Sven-Haegar Koch
[not found] <19323396.2950.1328898736467.JavaMail.root@ixer.mx>
2012-02-10 18:36 ` Enrique Huerta de la Fuente
2012-02-10 20:05 ` Andrew Beverley
2012-02-10 22:55 ` Enrique Huerta de la Fuente
2012-02-11 9:13 ` SamLT
2012-02-14 17:18 ` Enrique Huerta de la Fuente
[not found] <5634144.2926.1328853844897.JavaMail.root@ixer.mx>
2012-02-10 6:05 ` Enrique Huerta de la Fuente
2012-02-10 15:57 ` Andrew Beverley
[not found] <26800503.2896.1328827967506.JavaMail.root@ixer.mx>
2012-02-10 5:44 ` Enrique Huerta de la Fuente
[not found] <13902251.2734.1328591255561.JavaMail.root@ixer.mx>
2012-02-07 5:12 ` Enrique Huerta de la Fuente
2012-02-09 20:48 ` Andrew Beverley
[not found] <13116495.2023.1327446410284.JavaMail.root@ixer.mx>
2012-01-24 23:34 ` Enrique Huerta de la Fuente
2012-02-04 19:58 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23836786.3322.1329329078381.JavaMail.root@ixer.mx \
--to=ehuerta@ixer.mx \
--cc=andy@andybev.com \
--cc=haegar@sdinet.de \
--cc=netfilter@vger.kernel.org \
--cc=sam@sltosis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.