UDP port redirect

UDP port redirect

[thiago]

Hello all,

I got a problem when redirecting a UDP port. The rules are:

# TCP port redirect - working fine:

iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 22 -j
DNAT -m state --state NEW --to <int_ip>:1194
iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m state
--state NEW -j ACCEPT

# UDP port redirect - not going through

iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j
DNAT -m state --state NEW --to <int_ip>:1194
iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state
--state NEW -j ACCEPT

I hit the nat/prerouting rule, but never reach the filter/forward one.
As you can see the only change I've made from the tcp rule to udp rule, is
just the matching protocol.
I can debug it a little more, but also would like to hear from you guys if
you have any hints.

iptables v1.3.8
2.6.16.36-default

Thanks !

Thiago.

Re: UDP port redirect

[Martijn Lievaart]

thiago@powers.com.br wrote:
> Hello all,
>
> I got a problem when redirecting a UDP port. The rules are:
>
> # TCP port redirect - working fine:
>
> iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 22 -j
> DNAT -m state --state NEW --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m state
> --state NEW -j ACCEPT
>
> # UDP port redirect - not going through
>
> iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j
> DNAT -m state --state NEW --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state
> --state NEW -j ACCEPT
>
> I hit the nat/prerouting rule, but never reach the filter/forward one.
> As you can see the only change I've made from the tcp rule to udp rule, is
> just the matching protocol.
> I can debug it a little more, but also would like to hear from you guys if
> you have any hints.
>   

Not sure why this doesn't work, but you don't need the state match in 
the NAT rule.

iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j DNAT  --to <int_ip>:1194
iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state --state NEW -j ACCEPT


should work.

You may want to add an explicit LOG rule:

iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -j LOG --log-prefix "WRONG: "

or even

iptables -A FORWARD -p udp --dport 1194 -j LOG --log-prefix "WRONG: "


after the ACCEPT rule to debug this.

M4

Re: UDP port redirect

[Покотиленко Костик]

В Вто, 31/07/2007 в 20:04 -0300, thiago@powers.com.br пишет:
> Hello all,
> 
> I got a problem when redirecting a UDP port. The rules are:
> 
> # TCP port redirect - working fine:
> 
> iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 22 -j
> DNAT -m state --state NEW --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m state
> --state NEW -j ACCEPT

"-m state --state NEW" - what is this for? Nat table only sees packets
initiating connection, isn't it?

> # UDP port redirect - not going through
> 
> iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j
> DNAT -m state --state NEW --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state
> --state NEW -j ACCEPT

You accepting NEW packets in filter table, consider make sure rest would
pass through.

> I hit the nat/prerouting rule, but never reach the filter/forward one.
> As you can see the only change I've made from the tcp rule to udp rule, is
> just the matching protocol.
> I can debug it a little more, but also would like to hear from you guys if
> you have any hints.

Also, I've experiensed situation for UDP when nat rules doesn't match because
there was such connection before the rule inserted and conntrack already saw
it and has it counted. UDP connection tracking (since it's a connectionless
protocol) goes by src/dst ports. Packets can belong to different
"connections". The solution for me was to stop UDP connection for several
minutes to make conntrack forget it and then try again. 

> iptables v1.3.8
> 2.6.16.36-default
> 
> Thanks !
> 
> Thiago.
> 
> 
> 
-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: UDP port redirect

[Thiago Lucas]

Покотиленко Костик <casper@meteor.dp.ua> gravou em 01/08/2007 04:05:05:

> В Вто, 31/07/2007 в 20:04 -0300, thiago@powers.com.br пишет:
> > Hello all,
> > 
> > I got a problem when redirecting a UDP port. The rules are:
> > 
> > # TCP port redirect - working fine:
> > 
> > iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 
22 -j
> > DNAT -m state --state NEW --to <int_ip>:1194
> > iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m 
state
> > --state NEW -j ACCEPT
> 
> "-m state --state NEW" - what is this for? Nat table only sees packets
> initiating connection, isn't it?

You got it right, there's no need for that. I made that change in a 
previous search & replace.. forget about it.


> 
> > # UDP port redirect - not going through
> > 
> > iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 
22 -j
> > DNAT -m state --state NEW --to <int_ip>:1194
> > iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m 
state
> > --state NEW -j ACCEPT
> 
> You accepting NEW packets in filter table, consider make sure rest would
> pass through.

Good remind, but it is stateful, for sure.

> 
> > I hit the nat/prerouting rule, but never reach the filter/forward one.
> > As you can see the only change I've made from the tcp rule to udp 
rule, is
> > just the matching protocol.
> > I can debug it a little more, but also would like to hear from you 
guys if
> > you have any hints.
> 
> Also, I've experiensed situation for UDP when nat rules doesn't match 
because
> there was such connection before the rule inserted and conntrack already 
saw
> it and has it counted. UDP connection tracking (since it's a 
connectionless
> protocol) goes by src/dst ports. Packets can belong to different
> "connections". The solution for me was to stop UDP connection for 
several
> minutes to make conntrack forget it and then try again. 

Had the same (not pleasant) experience with that before, too. Conntrack 
tunables in /proc/sys/net/ipv4/netfilter/ helped me a lot.


Thanks anyway !

Re: UDP port redirect

[Thiago Lucas]

Hello Martijn,


Martijn Lievaart <m@rtij.nl> gravou em 01/08/2007 03:07:23:

> Not sure why this doesn't work, but you don't need the state match in 
> the NAT rule.

That state match in nat/prerouting, my mistake.. it shouldn't be there. 
But I don't believe that was the problem, as it just does nothing..

> iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport
> 22 -j DNAT  --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m 
> state --state NEW -j ACCEPT
> 
> should work.

It should ! :-)

> 
> You may want to add an explicit LOG rule:
> 
> iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -j 
> LOG --log-prefix "WRONG: "
> 
> or even
> 
> iptables -A FORWARD -p udp --dport 1194 -j LOG --log-prefix "WRONG: "


The connection never goes through :/

fw:/etc/iptables # iptables -t nat -L PREROUTING -n -v | grep -E 
'udp.*22.*1194'
    1    70 DNAT       udp  --  eth0   *       0.0.0.0/0 <ext_ip> udp 
dpt:22 to:192.168.10.254:1194 

fw:/etc/iptables # iptables -L FORWARD -n -v | grep -E 'LOG.*udp.*1194'
    0     0 LOG        udp  --  eth0   *       0.0.0.0/0 192.168.10.254  
udp dpt:1194 LOG flags 0 level 4 prefix `WRONG: ' 

> 
> 
> after the ACCEPT rule to debug this.
> 
> M4
> 
>