Update delay when using nat table?

Update delay when using nat table?

[Sheepa]

Hello, im trying to redirect a port based in source ip like this:
iptables -t nat -A PREROUTING -p udp --dport 777 -j REDIRECT --to-port 
888 -s x.x.x.x

Notice that i will have services listening on both ports. Allthough this 
works it takes several minutes for it to take effect. And it doesn't seem to 
take effect at all if i keep sending packages to port 777 here in the 
example. How can i make it take effect instantly? Or is thier any other way 
of doing this (redirecting a port locally) on a debian squeeze machine?

Thanks,
Sheepa 

Re: Update delay when using nat table?

[Sheepa]

That is probably the case.
How would someone remove an entry (based on IP and port)?

Also, I plan on having around 10k rules like this, currently the packets are
just dropped. Are there any better way (performance wise) of doing this?

Thanks,
Sheepa


----- Original Message ----- 
From: "François Legal" <devel@thom.fr.eu.org>
To: "Sheepa" <sheepa@sheepa.org>
Sent: Thursday, March 11, 2010 3:56 PM
Subject: Re: Update delay when using nat table?


>I guess that is because there is already a conntrack entry for the packets
> that you're sending to port 777. You can confirm this by checking
> /proc/net/nf_conntrack
>
> If my guess is correct, you have to remove the entry (or even flush the
> entire table) from conntrack with the "conntrack" tool.
>
> François
>
> On Thu, 11 Mar 2010 01:42:23 +0100, "Sheepa" <sheepa@sheepa.org> wrote:
>> Hello, im trying to redirect a port based in source ip like this:
>> iptables -t nat -A PREROUTING -p udp --dport 777 -j REDIRECT --to-port
>> 888 -s x.x.x.x
>>
>> Notice that i will have services listening on both ports. Allthough this
>
>> works it takes several minutes for it to take effect. And it doesn't
> seem
>> to
>> take effect at all if i keep sending packages to port 777 here in the
>> example. How can i make it take effect instantly? Or is thier any other
>> way
>> of doing this (redirecting a port locally) on a debian squeeze machine?
>>
>> Thanks,
>> Sheepa
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html 

Re: Update delay when using nat table?

[Sheepa]

ipset looks intresting but I've no experience of patching the kernel. I did 
run an aptitude install ipset.

ipset -H
I'm of protocol version 2.
Kernel module is not loaded in, cannot verify kernel version.
ipset v2.5.0
...

What needs to be done here? I've tried googling around but there's not that 
much information available.

Thanks,
Sheepa

----- Original Message ----- 
From: "François Legal" <devel@thom.fr.eu.org>
To: "Sheepa" <sheepa@sheepa.org>
Sent: Thursday, March 11, 2010 5:40 PM
Subject: Re: Update delay when using nat table?


> So to remove the conntrack entries, you can use the conntrack command (it
> is available in some debian package) that uses (I'm not sure) the netlink
> interface to netfilter (so you must have that enabled in your kernel).
>
> For the 10k entries (I guess it's about different -s X.X.X.X entries), you
> may use ipset.
>
> François
>
> PS: please post back to the list when you have something working to share
> with other.
>
> On Thu, 11 Mar 2010 17:11:10 +0100, "Sheepa" <sheepa@sheepa.org> wrote:
>> That is probably the case.
>> How would someone remove an entry (based on IP and port)?
>>
>> Also, I plan on having around 10k rules like this, currently the packets
>> are
>> just dropped. Are there any better way (performance wise) of doing this?
>>
>> Thanks,
>> Sheepa
>>
>> ----- Original Message ----- 
>> From: "François Legal" <devel@thom.fr.eu.org>
>> To: "Sheepa" <sheepa@sheepa.org>
>> Sent: Thursday, March 11, 2010 3:56 PM
>> Subject: Re: Update delay when using nat table?
>>
>>
>>>I guess that is because there is already a conntrack entry for the
> packets
>>> that you're sending to port 777. You can confirm this by checking
>>> /proc/net/nf_conntrack
>>>
>>> If my guess is correct, you have to remove the entry (or even flush the
>>> entire table) from conntrack with the "conntrack" tool.
>>>
>>> François
>>>
>>> On Thu, 11 Mar 2010 01:42:23 +0100, "Sheepa" <sheepa@sheepa.org> wrote:
>>>> Hello, im trying to redirect a port based in source ip like this:
>>>> iptables -t nat -A PREROUTING -p udp --dport 777 -j REDIRECT --to-port
>>>> 888 -s x.x.x.x
>>>>
>>>> Notice that i will have services listening on both ports. Allthough
> this
>>>
>>>> works it takes several minutes for it to take effect. And it doesn't
>>> seem
>>>> to
>>>> take effect at all if i keep sending packages to port 777 here in the
>>>> example. How can i make it take effect instantly? Or is thier any
> other
>>>> way
>>>> of doing this (redirecting a port locally) on a debian squeeze
> machine?
>>>>
>>>> Thanks,
>>>> Sheepa
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe netfilter"
> in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html 

Re: Update delay when using nat table?

[Mart Frauenlob]

On 11.03.2010 19:41, netfilter-owner@vger.kernel.org wrote:
> ipset looks intresting but I've no experience of patching the kernel. I
> did run an aptitude install ipset.
> 
> ipset -H
> I'm of protocol version 2.
> Kernel module is not loaded in, cannot verify kernel version.
> ipset v2.5.0
> ...
> 
> What needs to be done here? I've tried googling around but there's not
> that much information available.
> 

Please switch to bottom posting...

If on debian, you may need to install netfilter-extensions-modules.

Mart

Re: Update delay when using nat table?

[Sheepa]

> On 11.03.2010 19:41, netfilter-owner@vger.kernel.org wrote:
>> ipset looks intresting but I've no experience of patching the kernel. I
>> did run an aptitude install ipset.
>>
>> ipset -H
>> I'm of protocol version 2.
>> Kernel module is not loaded in, cannot verify kernel version.
>> ipset v2.5.0
>> ...
>>
>> What needs to be done here? I've tried googling around but there's not
>> that much information available.
>>
>
> Please switch to bottom posting...
>
> If on debian, you may need to install netfilter-extensions-modules.
>
> Mart
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

----- Original Message ----- 
From: "Mart Frauenlob" <mart.frauenlob@chello.at>
To: <netfilter@vger.kernel.org>
Sent: Thursday, March 11, 2010 10:59 PM
Subject: Re: Update delay when using nat table?

Ok, sorry.

The only package like that is:
netfilter-extensions-source                                            - 
source for netfilter kernel modules derived from patch-o-matic-ng

Source files only I guess.

---

However, i did get conntrack to work. Running this command after i've 
updated iptables does the trick:
conntrack -D -p udp --dport 777 --src x.x.x.x

This might seem like a noob question. But isn't UDP connectionless? Why/How 
does it keep track of those connections?

Thanks,
Sheepa 

Re: Update delay when using nat table?

[Mart Frauenlob]

On 12.03.2010 04:56, netfilter-owner@vger.kernel.org wrote:
>> On 11.03.2010 19:41, netfilter-owner@vger.kernel.org wrote:
>>> ipset looks intresting but I've no experience of patching the kernel. I
>>> did run an aptitude install ipset.
>>>
>>> ipset -H
>>> I'm of protocol version 2.
>>> Kernel module is not loaded in, cannot verify kernel version.
>>> ipset v2.5.0
>>> ...
>>>
>>> What needs to be done here? I've tried googling around but there's not
>>> that much information available.
>>>
>>
>> Please switch to bottom posting...
>>
>> If on debian, you may need to install netfilter-extensions-modules.
>>
>> Mart
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> ----- Original Message ----- From: "Mart Frauenlob"
> <mart.frauenlob@chello.at>
> To: <netfilter@vger.kernel.org>
> Sent: Thursday, March 11, 2010 10:59 PM
> Subject: Re: Update delay when using nat table?
> 
> Ok, sorry.
> 
> The only package like that is:
> netfilter-extensions-source                                            -
> source for netfilter kernel modules derived from patch-o-matic-ng
> 
> Source files only I guess.

eris:~# aptitude search "netfilter-extensions*"
v   netfilter-extensions-modules
       -
i   netfilter-extensions-modules-2.6.26-2-686
       - netfilter-extensions modules for Linux (kernel 2.6.26-2-686).
i   netfilter-extensions-source
       - source for netfilter kernel modules derived from patch-o-matic-ng

those are what I have on debian 5.0.4.

> 
> ---
> 
> However, i did get conntrack to work. Running this command after i've
> updated iptables does the trick:
> conntrack -D -p udp --dport 777 --src x.x.x.x
> 
> This might seem like a noob question. But isn't UDP connectionless?
> Why/How does it keep track of those connections?

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#STATEMACHINE


Regards

Mart

Re: Update delay when using nat table?

[Sheepa]

> If you have the kernel build tree, you could simply download ipset from
> their site ipset.netfilter.org and run make. It works seemlessly.
> Otherwise, there is the netfilter-extension-source debian package but I
> don't know the requirements for this.
>
> François

----- Original Message ----- 
From: "François Legal" <devel@thom.fr.eu.org>
To: "Sheepa" <sheepa@sheepa.org>
Sent: Friday, March 12, 2010 9:04 AM
Subject: Re: Update delay when using nat table?

This doesn't seem too simple, maybe im getting myself into too deep waters..

I somewhat followed this guide: 
http://fxp0.org.ua/2007/jul/29/building-kernel-ipset-support-debian-way/ but 
I couldn't get it to work.

Also, why would there be an ipset package if you still need to download the 
source? Can't I just use that one somehow?

Thanks,
Sheepa 

Re: Update delay when using nat table?

[Mart Frauenlob]

On 12.03.2010 15:14, netfilter-owner@vger.kernel.org wrote:
>> If you have the kernel build tree, you could simply download ipset from
>> their site ipset.netfilter.org and run make. It works seemlessly.
>> Otherwise, there is the netfilter-extension-source debian package but I
>> don't know the requirements for this.
>>
>> François
> 
> ----- Original Message ----- From: "François Legal" <devel@thom.fr.eu.org>
> To: "Sheepa" <sheepa@sheepa.org>
> Sent: Friday, March 12, 2010 9:04 AM
> Subject: Re: Update delay when using nat table?
> 
> This doesn't seem too simple, maybe im getting myself into too deep
> waters..
> 
> I somewhat followed this guide:
> http://fxp0.org.ua/2007/jul/29/building-kernel-ipset-support-debian-way/
> but I couldn't get it to work.
> 
> Also, why would there be an ipset package if you still need to download
> the source? Can't I just use that one somehow?
> 
> Thanks,
> Sheepa --


if I remember correctly, you need the module-assistant package.
then install the modules with:

module-assistant prepare
module-assistant auto-install netfilter-extension-modules

I think that's how I did it on debian lenny.

Best regards

Mart

Re: Update delay when using nat table?

[Sheepa]

> if I remember correctly, you need the module-assistant package.
> then install the modules with:
>
> module-assistant prepare
> module-assistant auto-install netfilter-extension-modules
>
> I think that's how I did it on debian lenny.
>
> Best regards
>
> Mart
> --

----- Original Message ----- 
From: "Mart Frauenlob" <mart.frauenlob@chello.at>
To: <netfilter@vger.kernel.org>
Sent: Saturday, March 13, 2010 9:38 AM
Subject: Re: Update delay when using nat table?

module-assistant prepare returns:

The following packages have unmet dependencies:
linux-headers-2.6.30-2-686: Depends: linux-kbuild-2.6.30 but it is not 
installable.

Thanks,
Sheepa 

Re: Update delay when using nat table?

[ratheesh k]

On Thu, Mar 11, 2010 at 6:12 AM, Sheepa <sheepa@sheepa.org> wrote:
> Hello, im trying to redirect a port based in source ip like this:
> iptables -t nat -A PREROUTING -p udp --dport 777 -j REDIRECT --to-port 888
> -s x.x.x.x
>
> Notice that i will have services listening on both ports. Allthough this
> works it takes several minutes for it to take effect. And it doesn't seem to
> take effect at all if i keep sending packages to port 777 here in the
> example. How can i make it take effect instantly? Or is thier any other way
> of doing this (redirecting a port locally) on a debian squeeze machine?
>
> Thanks,
> Sheepa --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

I had similar problem . I was syn-flooding one interface and  there is
an iptable rule to  reject all  syn-flood . But while flooding
,eventhough i opened port , ( in my case ) packets are not flowing
....it is still getting dropped . I thought ,it could be a problem due
to resource constrain in my box ( small ram , little processor speed )
.


Even if packets are dropped , will there be conntrack entry for those packets ?