NAT problem with iptables - Cliff Stanford

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Cliff Stanford <cliff@may.be>
To: netfilter@vger.kernel.org
Subject: NAT problem with iptables
Date: Sun, 07 Oct 2007 19:19:55 +0200	[thread overview]
Message-ID: <4709153B.8060309@may.be> (raw)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have just built a Linux (Fedora 7) box to act as an ADSL router and
NAT for two private (10.0.0.0) networks.

The problem I have is that I have a PBX running Asterisk behind the
router which must connect using iax2 to a box outside of the network.
Similarly, the remote switchboard must be able to connect using iax2 to
my nat'ed PBX.

My entire iptables setup at he moment looks like this:

[root@gw ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    LOG        udp  --  anywhere             anywhere            udp
dpt:iax state NEW LOG level warning prefix `INPUT (NEW): '
2    REJECT     udp  --  anywhere             anywhere            udp
dpt:iax state NEW reject-with icmp-port-unreachable
3    LOG        udp  --  anywhere             anywhere            udp
dpt:iax LOG level warning prefix `INPUT: '

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
[root@gw ~]# iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    LOG        udp  --  anywhere             anywhere            udp
dpt:iax LOG level warning prefix `NAT: '
2    DNAT       udp  --  anywhere             anywhere            udp
dpt:iax to:10.20.30.14
3    DNAT       tcp  --  anywhere             anywhere            tcp
dpt:http to:10.20.30.33
4    DNAT       tcp  --  anywhere             anywhere            tcp
dpt:ms-wbt-server to:10.20.30.74
5    DNAT       tcp  --  anywhere             anywhere            tcp
dpt:printer to:10.20.30.63
6    DNAT       tcp  --  anywhere             anywhere            tcp
dpt:x11 to:10.20.30.74

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    SNAT       all  --  anywhere             anywhere
to:217.125.3.73

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
[root@gw ~]#

I would expect all NEW UDP packets coming in on port 4569 (iax) to be
redirected to 10.20.30.14 after being logged as NAT: and subsequent
packets to be redirected via conntrack but not to be logged.

In practice, I am getting a continual stream of the INPUT: log messages:

Oct  7 18:48:35 gw kernel: INPUT (NEW): IN=atm0 OUT=
MAC=aa:aa:03:00:00:00:08:00 SRC=194.70.36.201 DST=217.125.3.73 LEN=40
TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=4569 DPT=4569 LEN=20
Oct  7 18:49:15 gw last message repeated 4 times
Oct  7 18:50:16 gw last message repeated 7 times
Oct  7 18:51:35 gw last message repeated 7 times

The output from conntrack is:

[root@gw ~]# conntrack -L -s 194.70.36.201
udp      17 23 src=194.70.36.201 dst=217.125.3.73 sport=4569 dport=4569
packets=1332 bytes=53280 [UNREPLIED] src=217.125.3.73 dst=194.70.36.201
sport=4569 dport=4569 packets=0 bytes=0 mark=0 use=1
[root@gw ~]# conntrack -L -d 194.70.36.201 -s 10.20.30.14
udp      17 122 src=10.20.30.14 dst=194.70.36.201 sport=4569 dport=4569
packets=701 bytes=36932 src=194.70.36.201 dst=217.125.3.73 sport=4569
dport=1024 packets=491 bytes=28742 [ASSURED] mark=0 use=1

The second row is the outbound IAX which is working fine.  So it
definitely seems that this rule is not working:

iptables -A PREROUTING -p udp -m udp --dport 4569 -j DNAT
- --to-destination 10.20.30.14

I assume I'm missing something and hope someone on this list can see
what it is.  I'd be very grateful.

Apologies for the long lines and thanks in anticipation.

Cliff.
- --
Cliff Stanford
Might Limited                           +44 845 0045 666 (Office)
Suite 67, Dorset House                  +44 7973 616 666 (Mobile)
Duke Street, Chelmsford, CM1 1TB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHCRU7fNTx9pWyKfwRAjCEAKCzJhGCBo6S0nihOnGXfHYOZm2qlgCdEE1m
5qSLGOpzFu8d/xBi0QaLDBE=
=mKh0
-----END PGP SIGNATURE-----

next             reply	other threads:[~2007-10-07 17:19 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-07 17:19 Cliff Stanford [this message]
2007-10-07 19:26 ` NAT problem with iptables Pascal Hambourg
2007-10-07 20:09   ` Cliff Stanford
2007-10-07 20:32     ` Pascal Hambourg
  -- strict thread matches above, loose matches on Subject: below --
2002-09-11 14:43 Marian Stepka
2002-09-11 17:40 ` Antony Stone
     [not found]   ` <3D7FE077.EEE22CE@itdimensions.com>
2002-09-12  9:51     ` Antony Stone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4709153B.8060309@may.be \
    --to=cliff@may.be \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox