From: "Brian J. Murrell" <brian@interlinx.bc.ca>
To: netfilter@vger.kernel.org
Subject: Re: DNAT working for one host but not another
Date: Mon, 05 Dec 2016 09:43:28 -0500 [thread overview]
Message-ID: <1480949008.19944.60.camel@interlinx.bc.ca> (raw)
In-Reply-To: <aab4caed2f9f4941b0749ef4875d5761@aalto.fi>
[-- Attachment #1: Type: text/plain, Size: 2530 bytes --]
On Mon, 2016-12-05 at 07:04 +0000, Llorente Santos Jesus wrote:
> Hi Brian,
>
> Did you try using the REDIRECT target instead?
I didn't before, but I just did and it doesn't seem to work either.
Neither host gets ASSURED:
udp 17 26 src=10.75.23.212 dst=10.75.22.8 sport=6060 dport=23768 [UNREPLIED] src=10.75.22.247 dst=10.75.23.212 sport=5060 dport=6060 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
udp 17 28 src=10.75.22.200 dst=10.75.22.8 sport=6060 dport=23768 [UNREPLIED] src=10.75.22.8 dst=10.75.22.200 sport=23768 dport=6060 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
and they both just keep getting ICMP port unreachable:
09:36:59.717222 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
09:36:59.717340 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768 unreachable, length 508
09:37:01.839127 IP 10.75.22.200.6060 > 10.75.22.8.23768: UDP, length 472
09:37:01.839212 IP 10.75.22.8 > 10.75.22.200: ICMP 10.75.22.8 udp port 23768 unreachable, length 508
09:37:03.718815 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
09:37:03.718921 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768 unreachable, length 508
09:37:05.218391 IP 10.75.22.200.6060 > 10.75.22.8.23768: UDP, length 0
There is definitely something listening on the port:
# netstat -pan | grep :5060
udp 0 0 10.75.22.8:5060 0.0.0.0:* 32519/foo
But it really should work as a DNAT rule anyway. It does for one host,
just not another. And has worked as such for all hosts for many years.
I just seems to have stopped working recently.
Interestingly enough, it seems that now, the host which can't move to
the ASSURED state is getting an ICMP port unreachable from the host:
09:20:47.041363 IP 10.75.22.200.6060 > 10.75.22.8.23768: UDP, length 471
09:20:47.041586 IP 10.75.22.8 > 10.75.22.200: ICMP 10.75.22.8 udp port 23768 unreachable, length 507
Yet the other host obviously managed to reach it:
udp 17 179 src=10.75.23.212 dst=10.75.22.8 sport=6060 dport=23768 src=10.75.22.8 dst=10.75.23.212 sport=5060 dport=6060 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
udp 17 26 src=10.75.22.200 dst=10.75.22.8 sport=6060 dport=23768 [UNREPLIED] src=10.75.22.8 dst=10.75.22.200 sport=23768 dport=6060 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
I wonder if that sheds any more light on the problem.
Cheers,
b.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
next prev parent reply other threads:[~2016-12-05 14:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-04 19:01 DNAT working for one host but not another Brian J. Murrell
2016-12-04 19:06 ` Brian J. Murrell
2016-12-05 7:04 ` Llorente Santos Jesus
2016-12-05 14:43 ` Brian J. Murrell [this message]
2016-12-05 15:52 ` Humberto Jucá
2016-12-05 15:56 ` Brian J. Murrell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1480949008.19944.60.camel@interlinx.bc.ca \
--to=brian@interlinx.bc.ca \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox