Re: UDP port redirect

[Martijn Lievaart <m@rtij.nl>]

thiago@powers.com.br wrote:
> Hello all,
>
> I got a problem when redirecting a UDP port. The rules are:
>
> # TCP port redirect - working fine:
>
> iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 22 -j
> DNAT -m state --state NEW --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m state
> --state NEW -j ACCEPT
>
> # UDP port redirect - not going through
>
> iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j
> DNAT -m state --state NEW --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state
> --state NEW -j ACCEPT
>
> I hit the nat/prerouting rule, but never reach the filter/forward one.
> As you can see the only change I've made from the tcp rule to udp rule, is
> just the matching protocol.
> I can debug it a little more, but also would like to hear from you guys if
> you have any hints.
>   

Not sure why this doesn't work, but you don't need the state match in 
the NAT rule.

iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j DNAT  --to <int_ip>:1194
iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state --state NEW -j ACCEPT


should work.

You may want to add an explicit LOG rule:

iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -j LOG --log-prefix "WRONG: "

or even

iptables -A FORWARD -p udp --dport 1194 -j LOG --log-prefix "WRONG: "


after the ACCEPT rule to debug this.

M4