From mboxrd@z Thu Jan 1 00:00:00 1970 From: Martijn Lievaart Subject: Re: UDP port redirect Date: Wed, 01 Aug 2007 08:07:23 +0200 Message-ID: <46B0231B.9050507@rtij.nl> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: thiago@powers.com.br Cc: netfilter@lists.netfilter.org thiago@powers.com.br wrote: > Hello all, > > I got a problem when redirecting a UDP port. The rules are: > > # TCP port redirect - working fine: > > iptables -t nat -A PREROUTING -i -p tcp -d --dport 22 -j > DNAT -m state --state NEW --to :1194 > iptables -A FORWARD -i -p tcp -d --dport 1194 -m state > --state NEW -j ACCEPT > > # UDP port redirect - not going through > > iptables -t nat -A PREROUTING -i -p udp -d --dport 22 -j > DNAT -m state --state NEW --to :1194 > iptables -A FORWARD -i -p udp -d --dport 1194 -m state > --state NEW -j ACCEPT > > I hit the nat/prerouting rule, but never reach the filter/forward one. > As you can see the only change I've made from the tcp rule to udp rule, is > just the matching protocol. > I can debug it a little more, but also would like to hear from you guys if > you have any hints. > Not sure why this doesn't work, but you don't need the state match in the NAT rule. iptables -t nat -A PREROUTING -i -p udp -d --dport 22 -j DNAT --to :1194 iptables -A FORWARD -i -p udp -d --dport 1194 -m state --state NEW -j ACCEPT should work. You may want to add an explicit LOG rule: iptables -A FORWARD -i -p udp -d --dport 1194 -j LOG --log-prefix "WRONG: " or even iptables -A FORWARD -p udp --dport 1194 -j LOG --log-prefix "WRONG: " after the ACCEPT rule to debug this. M4