iptables udp 1195 MASQUERADE

iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

Hello

I have OpenVPN (lan to lan)

On site 1 (4 links)
- eth0 (LAN)
- eth1 (internet link)
- eth3 (enalce internet)
- ppp0 (internet link)
- Deafult gateway eth1

On site 2 (3 links)
- eth0 (LAN)
- eth1 (internet link)
- ppp0 (internet link)
- Deafult gateway ppp0

The eth3 interface (site 1) and the eth1 interface (site 2) are the same supplier, the same mask.

The VPN works with eth3 (site 1) <---> eth1 (site 2) and it works great. We must not over because they are the same provider and does not require the gateway.

But if it fails any of the VPN link (eth3 o eth1), we need to change links of VPN to ppp0 (site 1) <-----> ppp0 (site 2).

Here's the problem!

At site 1, the UPD packets should go out by ppp0 (the default gateway is eth1). To do this:

# Iptables-t nat-I POSTROUTING-p udp-m udp - dport 1195-o ppp0-j MASQUERADE
# Iptables-t mangle-I OUTPUT-p udp-m udp - dport 1195-j MARK - set-mark 1

So are the paths:

# Ip rule ls
0: from all lookup 255
32757: from all fwmark 0x1 lookup infinitum
32758: from 189.143.36.36 lookup infinitum
32759: from 38.124.170.15 lookup bbs
32766: from all lookup main

# Ip route ls table infinitum
default via 189.143.36.36 dev ppp0


The problem is that no packets arrive from site 1 to the site 2. The UDP packets arrive to site 1 from site 2

I tested with port 22 (ssh) and it works.

# Iptables-t nat-I POSTROUTING-m tcp-p tcp - dport 22-o ppp0-j MASQUERADE
# Iptables-t mangle-I OUTPUT-m tcp-p tcp - dport 22-j MARK - set-mark 1


Any idea why that no UDP packets  arrive to site 2?

regards

E.Huerta

Re: iptables udp 1195 MASQUERADE

[Andrew Beverley]

On Tue, 2012-01-24 at 17:34 -0600, Enrique Huerta de la Fuente wrote:
> Hello
> 
> I have OpenVPN (lan to lan)
> 
> On site 1 (4 links)
> - eth0 (LAN)
> - eth1 (internet link)
> - eth3 (enalce internet)
> - ppp0 (internet link)
> - Deafult gateway eth1
> 
> On site 2 (3 links)
> - eth0 (LAN)
> - eth1 (internet link)
> - ppp0 (internet link)
> - Deafult gateway ppp0
> 
> The eth3 interface (site 1) and the eth1 interface (site 2) are the same supplier, the same mask.
> 
> The VPN works with eth3 (site 1) <---> eth1 (site 2) and it works great. We must not over because they are the same provider and does not require the gateway.
> 
> But if it fails any of the VPN link (eth3 o eth1), we need to change links of VPN to ppp0 (site 1) <-----> ppp0 (site 2).
> 
> Here's the problem!
> 
> At site 1, the UPD packets should go out by ppp0 (the default gateway is eth1). To do this:
> 
> # Iptables-t nat-I POSTROUTING-p udp-m udp - dport 1195-o ppp0-j MASQUERADE
> # Iptables-t mangle-I OUTPUT-p udp-m udp - dport 1195-j MARK - set-mark 1

Are you sure you've got this rule correct? Have you tried doing a LOG
target to check that it is matching the packets that you would expect?

> 
> So are the paths:
> 
> # Ip rule ls
> 0: from all lookup 255
> 32757: from all fwmark 0x1 lookup infinitum
> 32758: from 189.143.36.36 lookup infinitum
> 32759: from 38.124.170.15 lookup bbs
> 32766: from all lookup main
> 
> # Ip route ls table infinitum
> default via 189.143.36.36 dev ppp0
> 
> 
> The problem is that no packets arrive from site 1 to the site 2. The UDP packets arrive to site 1 from site 2
> 
> I tested with port 22 (ssh) and it works.
> 
> # Iptables-t nat-I POSTROUTING-m tcp-p tcp - dport 22-o ppp0-j MASQUERADE
> # Iptables-t mangle-I OUTPUT-m tcp-p tcp - dport 22-j MARK - set-mark 1
> 
> 
> Any idea why that no UDP packets  arrive to site 2?
> 
> regards
> 
> E.Huerta
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

>----- Mensaje original -----
>De: "Andrew Beverley" <andy@andybev.com>
>Para: ehuerta@ixer.mx
>CC: netfilter@vger.kernel.org
>Enviados: Sábado, 4 de Febrero 2012 13:58:32
>Asunto: Re: iptables udp 1195 MASQUERADE
>
>On Tue, 2012-01-24 at 17:34 -0600, Enrique Huerta de la Fuente wrote:
>> Hello
>>
>> I have OpenVPN (lan to lan)
>>
>> On site 1 (4 links)
>> - eth0 (LAN)
>> - eth1 (internet link)
>> - eth3 (enalce internet)
>> - ppp0 (internet link)
>> - Deafult gateway eth1
>>
>> On site 2 (3 links)
>> - eth0 (LAN)
>> - eth1 (internet link)
>> - ppp0 (internet link)
>> - Deafult gateway ppp0
>>
>> The eth3 interface (site 1) and the eth1 interface (site 2) are the
>> same supplier, the same mask.
>>
>> The VPN works with eth3 (site 1) <---> eth1 (site 2) and it works
>> great. We must not over because they are the same provider and does
>> not require the gateway.
>>
>> But if it fails any of the VPN link (eth3 o eth1), we need to change
>> links of VPN to ppp0 (site 1) <-----> ppp0 (site 2).
>>
>> Here's the problem!
>>
>> At site 1, the UPD packets should go out by ppp0 (the default gateway
>> is eth1). To do this:
>>
>> # Iptables-t nat-I POSTROUTING-p udp-m udp - dport 1195-o ppp0-j
>> MASQUERADE # Iptables-t mangle-I OUTPUT-p udp-m udp - dport 1195-j
>> MARK - set-mark 1
>
>Are you sure you've got this rule correct? Have you tried doing a LOG
>target to check that it is matching the packets that you would expect?
>
>>
>> So are the paths:
>>
>> # Ip rule ls
>> 0: from all lookup 255
>> 32757: from all fwmark 0x1 lookup infinitum
>> 32758: from 189.143.36.36 lookup infinitum
>> 32759: from 38.124.170.15 lookup bbs
>> 32766: from all lookup main
>>
>> # Ip route ls table infinitum
>> default via 189.143.36.36 dev ppp0
>>
>>
>> The problem is that no packets arrive from site 1 to the site 2. The
>> UDP packets arrive to site 1 from site 2
>>
>> I tested with port 22 (ssh) and it works.
>>
>> # Iptables-t nat-I POSTROUTING-m tcp-p tcp - dport 22-o ppp0-j
>> MASQUERADE # Iptables-t mangle-I OUTPUT-m tcp-p tcp - dport 22-j MARK
>> - set-mark 1
>>
>>
>> Any idea why that no UDP packets arrive to site 2?
>>
>> regards
>>
>> E.Huerta
>> -- To unsubscribe from this list: send the line "unsubscribe
>> netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html


Hello Andrew, thank you for the attention.

I doing a log target to check the rule in each of the OUTPUT hooks (raw, mangle, nat and filter) and POSTROUTING hooks (mangle and nat).


kernel: OUTPUT-22-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=17619 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
kernel: OUTPUT-1195-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=304 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=284 

kernel: OUTPUT-22-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=18917 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
kernel: OUTPUT-1195-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=416 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=396 

kernel: OUTPUT-22-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19177 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
kernel: OUTPUT-1195-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=108 

kernel: POSTROUTING-22-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19543 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
kernel: POSTROUTING-1195-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=160 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=140 

In the out and POSTROUTING hooks in the NAT table, i can not do log.

In the last log, the output interface is already changing, but did not change the source address.

Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE", this masks the port 22 (tcp) but not the 1195 (udp), because I can connect via ssh.

It seems the problem is that does not mask the port 1195 (udp).

Any idea?

regards

E.Huerta


 







 

Re: iptables udp 1195 MASQUERADE

[Andrew Beverley]

On Mon, 2012-02-06 at 23:12 -0600, Enrique Huerta de la Fuente wrote:
> Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE",
> this masks the port 22 (tcp) but not the 1195 (udp), because I can
> connect via ssh.

What do you mean by "masks"? What are you expecting the MASQUERADE
target to do? From the little information I've seen, it looks like you
are sending packets from a single interface from the local machine, in
which case the MASQUERADE will have no effect anyway.

> It seems the problem is that does not mask the port 1195 (udp).
> 

MASQUERADE works fine with UDP whenever I have used it.

Andy

Re: iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

>> Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j
>> MASQUERADE", this masks the port 22 (tcp) but not the 1195 (udp),
>> because I can
>> connect via ssh.
>
>What do you mean by "masks"? What are you expecting the MASQUERADE
>target to do? From the little information I've seen, it looks like you
>are sending packets from a single interface from the local machine, in
>which case the MASQUERADE will have no effect anyway.
>
>> It seems the problem is that does not mask the port 1195 (udp).
>>
>
>MASQUERADE works fine with UDP whenever I have used it.
>
>Andy

Hello Andy, I have three interfaces 

Re: iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

>> Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j
>> MASQUERADE", this masks the port 22 (tcp) but not the 1195 (udp),
>> because I can
>> connect via ssh.
>
>What do you mean by "masks"? What are you expecting the MASQUERADE
>target to do? From the little information I've seen, it looks like you
>are sending packets from a single interface from the local machine, in
>which case the MASQUERADE will have no effect anyway.
>
>> It seems the problem is that does not mask the port 1195 (udp).
>>
>
>MASQUERADE works fine with UDP whenever I have used it.
>
>Andy


Hello Andy, thank you for the atention.

I have four interfaces and the default gateway is eth1

- eth0 (LAN)
- eth1 (internet link)
- eth3 (internet link)
- ppp0 (internet link)

I mark (mangle) package udp (1195) for out by interface ppp0.
"iptables -t mangle -I OUTPUT -p udp -m udp --dport 1195 -j MARK --set-mark 1

and when i try MASQUERADE the package udp (1195) with "iptables -t nat -I POSTROUTING -p udp -m udp --dport 1195 -o ppp0 -j MASQUERADE", does not work!!

Any idea?

E.Huerta

Re: iptables udp 1195 MASQUERADE

[Andrew Beverley]

On Fri, 2012-02-10 at 00:05 -0600, Enrique Huerta de la Fuente wrote:
> I have four interfaces and the default gateway is eth1
> 
> - eth0 (LAN)
> - eth1 (internet link)
> - eth3 (internet link)
> - ppp0 (internet link)
> 
> I mark (mangle) package udp (1195) for out by interface ppp0.
> "iptables -t mangle -I OUTPUT -p udp -m udp --dport 1195 -j MARK --set-mark 1
> 
> and when i try MASQUERADE the package udp (1195) with "iptables -t nat
> -I POSTROUTING -p udp -m udp --dport 1195 -o ppp0 -j MASQUERADE", does
> not work!!

I'm still not sure exactly what you're trying to achieve. Presumably you
want different traffic going out on different interfaces, source-natted
to that interface IP address.

If so, why not route your traffic as you are already doing (I assume
that is working) and then just MASQUERADE each interface:

iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE

Andy

Re: iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

>> I have four interfaces and the default gateway is eth1
>>
>> - eth0 (LAN)
>> - eth1 (internet link)
>> - eth3 (internet link)
> - ppp0 (internet link)
>>
>> I mark (mangle) package udp (1195) for out by interface ppp0.
>> "iptables -t mangle -I OUTPUT -p udp -m udp --dport 1195 -j MARK
>> --set-mark 1
>>
>> and when i try MASQUERADE the package udp (1195) with "iptables -t nat
>> -I POSTROUTING -p udp -m udp --dport 1195 -o ppp0 -j MASQUERADE", does
>> not work!!
>
>I'm still not sure exactly what you're trying to achieve. Presumably you
>want different traffic going out on different interfaces, source-natted
>to that interface IP address.
>
>If so, why not route your traffic as you are already doing (I assume
>that is working) and then just MASQUERADE each interface:
>
>iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
>
>Andy


Yes, I routed traffic by different interfaces, MASQUERADE each interface and it works, I know that because I do the same with the TCP (22) packages (iptables -t nat -I POSTROUTING -p tcp -m tcp --dport 22 -o ppp0 -j MASQUERADE) and it works very well. But only the UDP(1195) packages do not work.

I have dealt with:
iptables -t nat -I POSTROUTING -p udp -m udp --dport 1195 -o ppp0 -j MASQUERADE
iptables -t nat -I POSTROUTING -p udp --dport 1195 -o ppp0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE

but it does not work.

Any ideas?

E.Huerta



 

Re: iptables udp 1195 MASQUERADE

[Andrew Beverley]

On Fri, 2012-02-10 at 12:36 -0600, Enrique Huerta de la Fuente wrote:
> iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
> 
> but it does not work.

Are you *sure* it's not working?

> 
> Any ideas?

Upgrade maybe? As said previously, it's always worked for me.

Andy

Re: iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

>On Fri, 2012-02-10 at 12:36 -0600, Enrique Huerta de la Fuente wrote:
>> iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
>>
>> but it does not work.
>
>Are you *sure* it's not working?
>
>>
>> Any ideas?
>
>Upgrade maybe? As said previously, it's always worked for me.
>
>Andy


Andy, thank you very much for the attention.

I will continue investigating.

E.Huerta

 

Re: iptables udp 1195 MASQUERADE

[SamLT]

On Fri, Feb 10, 2012 at 08:05:47PM +0000, Andrew Beverley wrote:
> On Fri, 2012-02-10 at 12:36 -0600, Enrique Huerta de la Fuente wrote:
> > iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
> > 
> > but it does not work.
> 
> Are you *sure* it's not working?

Sorry to jump in here, but, I agree with Enrique, could you show some
tcpdump output or something?
   - Do the paquet go out from ppp0 without being MASQUERAD'ed?
   - Do they go out from an other interface?
   - Does it look like they are being filtered? or REDIRECT'ed?

> 
> > 
> > Any ideas?
> 
> Upgrade maybe? As said previously, it's always worked for me.
> 
> Andy
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

>On Fri, Feb 10, 2012 at 08:05:47PM +0000, Andrew Beverley wrote:
>> On Fri, 2012-02-10 at 12:36 -0600, Enrique Huerta de la Fuente wrote:
>> > iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
>> >
>> > but it does not work.
>>
>> Are you *sure* it's not working?
>
>Sorry to jump in here, but, I agree with Enrique, could you show some
>tcpdump output or something?
>- Do the paquet go out from ppp0 without being MASQUERAD'ed?
>- Do they go out from an other interface?
- Does it look like they are being filtered? or REDIRECT'ed?
>>
>>
>> >
> > Any ideas?
>>
>> Upgrade maybe? As said previously, it's always worked for me.
>>
>> Andy


Hello Sam, this is my outputs:

Re: iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

>On Fri, Feb 10, 2012 at 08:05:47PM +0000, Andrew Beverley wrote:
>> On Fri, 2012-02-10 at 12:36 -0600, Enrique Huerta de la Fuente wrote:
>> > iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
>> >
>> > but it does not work.
>>
>> Are you *sure* it's not working?
>
>Sorry to jump in here, but, I agree with Enrique, could you show some
>tcpdump output or something?
>- Do the paquet go out from ppp0 without being MASQUERAD'ed?
>- Do they go out from an other interface?
- Does it look like they are being filtered? or REDIRECT'ed?
>>
>>
>> >
> > Any ideas?
>>
>> Upgrade maybe? As said previously, it's always worked for me.
>>
>> Andy


Hello Sam,

I doing a log target to check the rule in each of the OUTPUT hooks (raw, mangle and filter) and POSTROUTING hooks (mangle).


kernel: OUTPUT-22-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=17619 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=304 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=284

kernel: OUTPUT-22-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=18917 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=416 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=396

kernel: OUTPUT-22-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19177 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=108

kernel: POSTROUTING-22-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19543 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: POSTROUTING-1195-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=160 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=140


In the last log, the output interface is already changing, but did not change the source address, this happen in the  POSTROUTING hook (nat)

Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE", this masks the port 22 (tcp) but not the 1195 (udp), because I can connect via ssh.

It seems the problem is that does not mask the port 1195 (udp).

This is my tcpdump outputs (tcpdump -i ppp0 -nn):

Before apply the MASQUERADE rule in port 22(does not work):
21:59:47.012159 IP 201.15.40.9.60489 > 189.189.5.2.22: S 1987636:1987636(0) win 5840 <mss 1460,sackOK,timestamp 2332493919 0,nop,wscale 7>
21:59:50.011828 IP 201.15.40.9.60489 > 189.189.5.2.22: S 1987636:1987636(0) win 5840 <mss 1460,sackOK,timestamp 2332496919 0,nop,wscale 7>
21:59:56.011638 IP 201.15.40.9.60489 > 189.189.5.2.22: S 1987636:1987636(0) win 5840 <mss 1460,sackOK,timestamp 2332502919 0,nop,wscale 7>

After apply the MASQUERADE rule (does work):
22:01:40.922449 IP 201.102.128.12.58860 > 189.189.5.2.22: S 125979932:125979932(0) win 5840 <mss 1460,sackOK,timestamp 2332607835 0,nop,wscale 7>
22:01:40.941429 IP 189.189.5.2.22 > 201.102.128.12.58860: S 3858527134:3858527134(0) ack 125979933 win 5760 <mss 1412,sackOK,timestamp 2327811813 2332607835,nop,wscale 7>
22:01:40.941461 IP 201.102.128.12.58860 > 189.189.5.2.22: . ack 1 win 46 <nop,nop,timestamp 2332607854 2327811813>
22:01:40.967119 IP 189.189.5.2.22 > 201.102.128.12.58860: P 1:21(20) ack 1 win 45 <nop,nop,timestamp 2327811835 2332607854>
22:01:40.967175 IP 201.102.128.12.58860 > 189.189.5.2.22: . ack 21 win 46 <nop,nop,timestamp 2332607879 2327811835>
22:01:40.967290 IP 201.102.128.12.58860 > 189.189.5.2.22: P 1:21(20) ack 21 win 46 <nop,nop,timestamp 2332607880 2327811835>
22:01:40.986909 IP 189.189.5.2.22 > 201.102.128.12.58860: . ack 21 win 45 <nop,nop,timestamp 2327811857 2332607880>
22:01:40.986932 IP 201.102.128.12.58860 > 189.189.5.2.22: P 21:733(712) ack 21 win 46 <nop,nop,timestamp 2332607899 2327811857>
22:01:41.000709 IP 189.189.5.2.22 > 201.102.128.12.58860: P 21:725(704) ack 21 win 45 <nop,nop,timestamp 2327811858 2332607880>
22:01:41.041005 IP 201.102.128.12.58860 > 189.189.5.2.22: . ack 725 win 57 <nop,nop,timestamp 2332607953 2327811858>

But, when apply or not the MASQUERADE rule in 1195(udp) port, nothing happens
In this point, I apply this rules:
iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -I POSTROUTING -m udp -p udp --dport 1195 -o ppp0 -j MASQUERADE
iptables -t nat -I POSTROUTING -d 189.189.5.2 -m udp -p udp --dport 1195 -o ppp0 -j SNAT --to 201.102.128.12:1195


22:30:54.885067 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 100
22:30:55.277241 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 324
22:30:55.539264 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 276
22:30:55.547639 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 388
22:30:55.619872 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 324
22:30:55.723678 IP 189.189.5.2.1195 > 201.102.128.12.1195: UDP, length 100
22:30:55.745952 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 100
22:30:55.993822 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 1556
22:30:55.993842 IP 201.15.40.9 > 189.189.5.2: udp
22:30:55.993879 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 1556
22:30:55.993896 IP 201.15.40.9 > 189.189.5.2: udp
22:30:55.993932 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 1556
22:30:55.993947 IP 201.15.40.9 > 189.189.5.2: udp
22:30:55.993982 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 1508
22:30:55.993988 IP 201.15.40.9 > 189.189.5.2: udp
22:30:56.344615 IP 189.189.5.2.1195 > 201.102.128.12.1195: UDP, length 100
22:30:56.366510 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 100


# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            174.133.237.209     


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1195 
SNAT       udp  --  0.0.0.0/0            189.189.5.2        udp dpt:1195 to:201.102.128.12:1195 
MASQUERADE  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    



# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
MARK       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110 MARK set 0x1 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
MARK       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1195 MARK set 0x1 
MARK       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 MARK set 0x1 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         


The problem is that the MASQUERADE rule does not work with UDP(1195).
    
Any idea?

E.Huerta

Re: iptables udp 1195 MASQUERADE

[Sven-Haegar Koch]

On Tue, 14 Feb 2012, Enrique Huerta de la Fuente wrote:

> The problem is that the MASQUERADE rule does not work with UDP(1195).
>     
> Any idea?

One thing to check out, took me a whole day to figure out with openvpn 
udp traffic to port 1194 not beeing masqueraded in some "random" cases:

Does the connection to your port 1195 exist before the filewall rulesets 
are loaded first after boot? - one packet before the rule setup may be 
enough. Once a connection with the same sip+sport+dip+dport has been 
added to the conntrack list their masquerading/SNAT/DNAT state is not 
changed again - and with the "virtual" udp connection they can stay 
alive quite a while.

Perhaps try just flushing the whole connection-tracking table and see if 
it starts working afterwards:

conntrack -F conntrack ; conntrack -F expect

c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

Re: iptables udp 1195 MASQUERADE

[Enrique Huerta de la Fuente]

> On Tue, 14 Feb 2012, Enrique Huerta de la Fuente wrote:
> 
> > The problem is that the MASQUERADE rule does not work with UDP(1195).
> >
> > Any idea?
> 
> One thing to check out, took me a whole day to figure out with openvpn
> udp traffic to port 1194 not beeing masqueraded in some "random" cases:
> 
> Does the connection to your port 1195 exist before the filewall rulesets
> are loaded first after boot? - one packet before the rule setup may be
> enough. Once a connection with the same sip+sport+dip+dport has been
> added to the conntrack list their masquerading/SNAT/DNAT state is not
> changed again - and with the "virtual" udp connection they can stay
> alive quite a while.
> 
> Perhaps try just flushing the whole connection-tracking table and see if
> it starts working afterwards:
> 
> conntrack -F conntrack ; conntrack -F expect
> 
> c'ya
> sven-haegar
> 
> -- Three may keep a secret, if two of them are dead.
> - Ben F.

 
Hello Sven-Haegar, yes, exist the connection to port 1195 before the  firewall rulesets.

udp      17 179 src=38.124.170.14 dst=38.124.170.25 sport=1195 dport=1195 packets=496310 bytes=132295480 src=38.124.170.25 dst=38.124.170.14 sport=1195 dport=1195 packets=664491 bytes=169869224 [ASSURED] mark=0 secmark=0 use=1

I try the NOTRACK target, but I have to wait the time to live of the connection tracking to apply the new rules:

iptables -t raw -I PREROUTING -p udp --sport 1195 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --dport 1195 -j NOTRACK
iptables -t raw -I PREROUTING -p udp --dport 1195 -j NOTRACK

I wait 179 secs and ...
iptables -t raw -D PREROUTING -p udp --sport 1195 -j NOTRACK
iptables -t raw -D OUTPUT -p udp --dport 1195 -j NOTRACK
iptables -t raw -D PREROUTING -p udp --dport 1195 -j NOTRACK

With this, I can apply the rule MASQUERADE and works very well. Now, I have to install conntrack-tools for delete the connection tracking very quicly.

Thanks very much, I really appreciate your help, I was desperate because i did not know why not working.

E.Huerta