UDP Redirects

UDP Redirects

[Jim Redman]

I have a system that is sending UDP packets to port 995 at about 100 
packets/second.  I want to redirect these to 1995 so that I can listen 
on an unpriveledged port.  So I:

iptables -t nat -A PREROUTING -p udp --dport 995 \
     -j REDIRECT --to-port 1995

This seems to work some of the time, but most of the time not.  It 
seems to work better when the connection is across a VPN which limits 
that packets to about 5-10/second.  So I assume that I've hit some 
limit, however this (and a number of variants) don't seem to help:

iptables -t nat -I PREROUTING -m limit --limit 1000/s \
     --limit-burst 1000 -j ACCEPT

Am I missing something obvious?  Any suggestions?

Thanks,

Jim

-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com

UDP Redirects

[Jim Redman]

[apologies if this is a duplicate - the list manager has ack'd my 
request but still bounced the first copy]

I have a system that is sending UDP packets to port 995 at about 100 
packets/second.  I want to redirect these to 1995 so that I can listen 
on an unpriveledged port.  So I:

iptables -t nat -A PREROUTING -p udp --dport 995 \
     -j REDIRECT --to-port 1995

This seems to work some of the time, but most of the time not.  It 
seems to work better when the connection is across a VPN which limits 
that packets to about 5-10/second.  So I assume that I've hit some 
limit, however this (and a number of variants) don't seem to help:

iptables -t nat -I PREROUTING -m limit --limit 1000/s \
     --limit-burst 1000 -j ACCEPT

Am I missing something obvious?  Any suggestions?

Thanks,

Jim

-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com

Re: UDP Redirects

[Ramin Dousti]

Do the packets belong to one UDP session? If not, this number of packets
might overflow your connection-tracking table.

Ramin

On Mon, Sep 15, 2003 at 07:05:50PM -0600, Jim Redman wrote:

> [apologies if this is a duplicate - the list manager has ack'd my 
> request but still bounced the first copy]
> 
> I have a system that is sending UDP packets to port 995 at about 100 
> packets/second.  I want to redirect these to 1995 so that I can listen 
> on an unpriveledged port.  So I:
> 
> iptables -t nat -A PREROUTING -p udp --dport 995 \
>     -j REDIRECT --to-port 1995
> 
> This seems to work some of the time, but most of the time not.  It 
> seems to work better when the connection is across a VPN which limits 
> that packets to about 5-10/second.  So I assume that I've hit some 
> limit, however this (and a number of variants) don't seem to help:
> 
> iptables -t nat -I PREROUTING -m limit --limit 1000/s \
>     --limit-burst 1000 -j ACCEPT
> 
> Am I missing something obvious?  Any suggestions?
> 
> Thanks,
> 
> Jim
> 
> -- 
> 
> Jim Redman
> (505) 662 5156 x85
> http://www.ergotech.com

Re: UDP Redirects

[Jim Redman]

Ramin,

On 2003.09.16 08:24, Ramin Dousti wrote:
> Do the packets belong to one UDP session? If not, this number of
> packets
> might overflow your connection-tracking table.

The packets are all individual entities.  Any solution if this is the 
problem?  Any way to test?  (There are no indications in the syslog 
that I've noticed).

Jim

> 
> Ramin
> 
> On Mon, Sep 15, 2003 at 07:05:50PM -0600, Jim Redman wrote:
> 
> > [apologies if this is a duplicate - the list manager has ack'd my
> > request but still bounced the first copy]
> >
> > I have a system that is sending UDP packets to port 995 at about 100
> 
> > packets/second.  I want to redirect these to 1995 so that I can
> listen
> > on an unpriveledged port.  So I:
> >
> > iptables -t nat -A PREROUTING -p udp --dport 995 \
> >     -j REDIRECT --to-port 1995
> >
> > This seems to work some of the time, but most of the time not.  It
> > seems to work better when the connection is across a VPN which
> limits
> > that packets to about 5-10/second.  So I assume that I've hit some
> > limit, however this (and a number of variants) don't seem to help:
> >
> > iptables -t nat -I PREROUTING -m limit --limit 1000/s \
> >     --limit-burst 1000 -j ACCEPT
> >
> > Am I missing something obvious?  Any suggestions?
> >
> > Thanks,
> >
> > Jim
> >
> > --
> >
> > Jim Redman
> > (505) 662 5156 x85
> > http://www.ergotech.com
> 

-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com

Re: UDP Redirects

[Jim Redman]

Ramin,

On 2003.09.16 08:24, Ramin Dousti wrote:
> Do the packets belong to one UDP session? If not, this number of
> packets
> might overflow your connection-tracking table.

The packets are all individual entities.  Any solution if this is the 
problem?  Any way to test?  (There are no indications in the syslog 
that I've noticed).

Jim

> 
> Ramin
> 
> On Mon, Sep 15, 2003 at 07:05:50PM -0600, Jim Redman wrote:
> 
> > [apologies if this is a duplicate - the list manager has ack'd my
> > request but still bounced the first copy]
> >
> > I have a system that is sending UDP packets to port 995 at about 100
> 
> > packets/second.  I want to redirect these to 1995 so that I can
> listen
> > on an unpriveledged port.  So I:
> >
> > iptables -t nat -A PREROUTING -p udp --dport 995 \
> >     -j REDIRECT --to-port 1995
> >
> > This seems to work some of the time, but most of the time not.  It
> > seems to work better when the connection is across a VPN which
> limits
> > that packets to about 5-10/second.  So I assume that I've hit some
> > limit, however this (and a number of variants) don't seem to help:
> >
> > iptables -t nat -I PREROUTING -m limit --limit 1000/s \
> >     --limit-burst 1000 -j ACCEPT
> >
> > Am I missing something obvious?  Any suggestions?
> >
> > Thanks,
> >
> > Jim
> >
> > --
> >
> > Jim Redman
> > (505) 662 5156 x85
> > http://www.ergotech.com
> 

-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com

Re: UDP Redirects

[Jim Redman]

On 2003.09.16 09:52, Ramin Dousti wrote:
> On Tue, Sep 16, 2003 at 09:42:20AM -0600, Jim Redman wrote:
> 
> > Ramin,
> >
> > On 2003.09.16 08:24, Ramin Dousti wrote:
> > >Do the packets belong to one UDP session? If not, this number of
> > >packets
> > >might overflow your connection-tracking table.
> >
> > The packets are all individual entities.  Any solution if this is
> the
> > problem?  Any way to test?  (There are no indications in the syslog
> > that I've noticed).
> 
> I'm sure there are better ways of doing this but a simple
> 
> cat /proc/net/ip_conntrack | wc

Seems I must have told you an untruth since this is all I have in the 
file relating to the particular connection.  192.168.2.189 is the 
device sending data to me and 192.168.2.97 is me.  I suspect the first 
line is a connection from my app back to the device, since it only 
appears when the app is running.

udp      17 179 src=192.168.2.97 dst=192.168.2.189 sport=32815 
dport=995 src=192.168.2.189 dst=192.168.2.97 sport=995 dport=32815 
[ASSURED] use=1
udp      17 179 src=192.168.2.189 dst=192.168.2.97 sport=995 dport=995 
src=192.168.2.97 dst=192.168.2.189 sport=1995 dport=995 [ASSURED] use=1

Today, however, everything is working (at least at the moment)!  It's 
very strange.  Nothing has changed.  I took the notebook home and 
brought it back.  Same software running here, same device still sending 
the values, etc. etc.   
I still don't know that it's a netfilter problem.  I see the packet 
with tcpdump and don't receive them in the application.  NMAP says the 
port is open and the code is just open connection & receive (in Java).

Ugh.  Well, better get on with the debugging while I'm receiving data.

Ji


-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com