Problem with NAT rule

Problem with NAT rule

[Pete Kay]

Hi,

I would like to setup my iptable rules to forward udp packet from one
device to another:

192.168.1.100:16385  <---------> 192.168.1.114:29848 :: 192.168.1.200
:29850  <----------> 192.168.1.300:10112

What I want to do is forward all packets from 192.168.1.100:16385 to
192.168.1.300:10112 and all packets from 192.168.1.300:10112 to
192.168.1.100:16385

Here is my iptables rule:


Building chain index
Number of user defined chains:0 bucket_sz:40 array_sz:0
iptc_first_chain: : returning `PREROUTING'
iptc_get_policy: called for chain PREROUTING
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
iptc_first_rule: first rule(PREROUTING): 0xc02ac0
WARNING: handle->chain_index_sz == 0
DNAT       udp  --  192.168.1.100         anywhere            udp
spt:16385 to:192.168.1.300:10112
iptc_next_rule: rule_iterator_cur=0xc02d00...next=0xc02e20,
head=0xc02a90...returning rule 0xc02e20
WARNING: handle->chain_index_sz == 0
DNAT       udp  --  192.168.1.300         anywhere            udp
spt:10112 to:192.168.1.100:16385
iptc_next_rule: rule_iterator_cur=0xc02e20...next=0xc02a90,
head=0xc02a90...finished, returning NULL
iptc_next_chain: : returning `POSTROUTING'

iptc_get_policy: called for chain POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
iptc_first_rule: first rule(POSTROUTING): 0xc030b0

WARNING: handle->chain_index_sz == 0
SNAT       udp  --  192.168.1.100         anywhere            udp
spt:16385 to:192.168.1.200:29848
iptc_next_rule: rule_iterator_cur=0xc032f0...next=0xc03410,
head=0xc03080...returning rule 0xc03410
WARNING: handle->chain_index_sz == 0
SNAT       udp  --  192.168.1.300         anywhere            udp
spt:10112 to:192.168.1.200:29850
iptc_next_rule: rule_iterator_cur=0xc03410...next=0xc03080,
head=0xc03080...finished, returning NULL
iptc_next_chain: : returning `OUTPUT'

iptc_get_policy: called for chain OUTPUT

===========
When I send packet from the two devices, I am just getting packets
going into 192.168.1.200 instead of any packet going out:

20:57:57.765252 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11386 1869684
20:57:57.784333 IP 192.168.1.100:16385 > 192.168.1.200 :29848: udp/rtp
240 c0  17019 125650088
20:57:57.785250 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11387 1869844
20:57:57.805246 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11388 1870004
20:57:57.815415 IP 192.168.1.100:16385 > 192.168.1.200 :29848: udp/rtp
240 c0  17020 125650328
20:57:57.825249 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11389 1870164
20:57:57.843951 IP 192.168.1.100:16385 > 192.168.1.200 :29848: udp/rtp
240 c0  17021 125650568
20:57:57.845247 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11390 1870324
20:57:57.865242 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11391 1870484
20:57:57.874332 IP 192.168.1.100:16385 > 192.168.1.200 :29848: udp/rtp
240 c0  17022 125650808
20:57:57.885242 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11392 1870644
20:57:57.903563 IP 192.168.1.100:16385 > 192.168.1.200 :29848: udp/rtp
240 c0  17023 125651048
20:57:57.905242 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11393 1870804
20:57:57.925240 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11394 1870964
20:57:57.935888 IP 192.168.1.100:16385 > 192.168.1.200 :29848: udp/rtp
240 c0  17024 125651288
20:57:57.945240 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11395 1871124
20:57:57.964250 IP 192.168.1.100:16385 > 192.168.1.200 :29848: udp/rtp
240 c0  17025 125651528
20:57:57.965238 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11396 1871284
20:57:57.985233 IP 192.168.1.300:10112 > 192.168.1.200 :29850: udp/rtp
160 c0  11397 1871444


Can someone please help me to put out the problem in my iptable rules?

thanks,
P

Re: Problem with NAT rule

[Jan Engelhardt]

On Saturday 2010-07-24 15:41, Pete Kay wrote:

>Hi,
>
>I would like to setup my iptable rules to forward udp packet from one
>device to another:
>
>192.168.1.100:16385  <---------> 192.168.1.114:29848 :: 192.168.1.200
>:29850  <----------> 192.168.1.300:10112
>
>What I want to do is forward all packets from 192.168.1.100:16385 to
>192.168.1.300:10112 and all packets from 192.168.1.300:10112 to
>192.168.1.100:16385
>
>Here is my iptables rule:


Routing does forwarding; nf_nat does NAT, those are two separate things.

Re: Problem with NAT rule

[Pete Kay]

Hi Jan,

Sorry I am new to iptables setup.  Could you give me some insight as
to how I can configure iptables to achieve the packet forwarding
function?

thanks,
P

On Sat, Jul 24, 2010 at 9:51 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Saturday 2010-07-24 15:41, Pete Kay wrote:
>
>>Hi,
>>
>>I would like to setup my iptable rules to forward udp packet from one
>>device to another:
>>
>>192.168.1.100:16385  <---------> 192.168.1.114:29848 :: 192.168.1.200
>>:29850  <----------> 192.168.1.300:10112
>>
>>What I want to do is forward all packets from 192.168.1.100:16385 to
>>192.168.1.300:10112 and all packets from 192.168.1.300:10112 to
>>192.168.1.100:16385
>>
>>Here is my iptables rule:
>
>
> Routing does forwarding; nf_nat does NAT, those are two separate things.
>
>

Re: Problem with NAT rule

[Pieter Smit]

A couple of questions.

1. You have 3 devices, with the  FW with two interfaces 192.168.1.114
and 192.168.1.200 in each subnet ?

2. The two outside hosts will connect to udp ports on the FW device
that will be translated to the other device ?

3. Is the udp streams in one direction ?  Does it matter to the udp
receiver where the packet comes from or will it always send return
traffic to the FW ip ?

Cheers,
Pieter

On Sat, Jul 24, 2010 at 3:41 PM, Pete Kay <petedao@gmail.com> wrote:
> Hi,
>
> I would like to setup my iptable rules to forward udp packet from one
> device to another:
>
> 192.168.1.100:16385  <---------> 192.168.1.114:29848 :: 192.168.1.200
> :29850  <----------> 192.168.1.300:10112
>
> What I want to do is forward all packets from 192.168.1.100:16385 to
> 192.168.1.300:10112 and all packets from 192.168.1.300:10112 to
> 192.168.1.100:16385
>

Re: Problem with NAT rule

[ZHOU Xiaobo]

I think you should use IPROUTE2 instead of IPTABLES.


----- Original Message -----
From: "Pete Kay" <petedao@gmail.com>
To: "Jan Engelhardt" <jengelh@medozas.de>
Cc: netfilter@vger.kernel.org
Sent: 2010年 7 月 24日, 星期六 下午 10:09:46 GMT +08:00 Beijing / Chongqing / Hong Kong / Urumqi
Subject: Re: Problem with NAT rule

Hi Jan,

Sorry I am new to iptables setup.  Could you give me some insight as
to how I can configure iptables to achieve the packet forwarding
function?

thanks,
P

On Sat, Jul 24, 2010 at 9:51 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Saturday 2010-07-24 15:41, Pete Kay wrote:
>
>>Hi,
>>
>>I would like to setup my iptable rules to forward udp packet from one
>>device to another:
>>
>>192.168.1.100:16385  <---------> 192.168.1.114:29848 :: 192.168.1.200
>>:29850  <----------> 192.168.1.300:10112
>>
>>What I want to do is forward all packets from 192.168.1.100:16385 to
>>192.168.1.300:10112 and all packets from 192.168.1.300:10112 to
>>192.168.1.100:16385
>>
>>Here is my iptables rule:
>
>
> Routing does forwarding; nf_nat does NAT, those are two separate things.
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Problem with NAT rule

[Pete Kay]

On Sun, Jul 25, 2010 at 12:13 AM, Pieter Smit <mlist2010@vigor.co.za> wrote:
> A couple of questions.
>
> 1. You have 3 devices, with the  FW with two interfaces 192.168.1.114
> and 192.168.1.200 in each subnet ?
>

Hi, The FW device only has one interface and it should all be
192.168.1.200.  It was a typo.  The redirector should only have one
interface with ip 192.168.1.200.

> 2. The two outside hosts will connect to udp ports on the FW device
> that will be translated to the other device ?

yes

>
> 3. Is the udp streams in one direction ?  Does it matter to the udp
> receiver where the packet comes from or will it always send return
> traffic to the FW ip ?
>

Yes, the udp is for both direction.  The FW ip ( 192.168.1.200) should
just redirect packets from one to another and vice versa.


> Cheers,
> Pieter
>
> On Sat, Jul 24, 2010 at 3:41 PM, Pete Kay <petedao@gmail.com> wrote:
>> Hi,
>>
>> I would like to setup my iptable rules to forward udp packet from one
>> device to another:
>>
>> 192.168.1.100:16385  <---------> 192.168.1.114:29848 :: 192.168.1.200
>> :29850  <----------> 192.168.1.300:10112
>>
>> What I want to do is forward all packets from 192.168.1.100:16385 to
>> 192.168.1.300:10112 and all packets from 192.168.1.300:10112 to
>> 192.168.1.100:16385
>>
>