newbie question on netfilter-conntrack

newbie question on netfilter-conntrack

[Pete Kay]

Hi,

I am new to netfilter-conntrack so please excuse me for my simple question.

I am trying to set up a rule such that any UDP packet coming from a
specific IP:port will be redirected to another IP:port.  Could someone
please give me an example how this can be done?

Also, I would like to know if it is possible to monitor the proxying
of the UDP packet to obtain information such as jitter and packet
lost.  How can I do that?


Thanks,
P

Re: newbie question on netfilter-conntrack

[Andrew Beverley]

Pete,

> I am trying to set up a rule such that any UDP packet coming from a
> specific IP:port will be redirected to another IP:port.  Could someone
> please give me an example how this can be done?

You'll need something like:

iptables -t nat -A PREROUTING -p udp --sport 1234 --source 1.2.3.4 \
	-j DNAT --to-destination 4.3.2.1:4321

If you do 'man iptables' you will see details of all these options. You
may also find that this simple kernel routing diagram helps:

http://www.docum.org/docum.org/kptd/

> Also, I would like to know if it is possible to monitor the proxying
> of the UDP packet to obtain information such as jitter and packet
> lost.  How can I do that?

Not sure about that I'm afraid; maybe somebody else can help.

Andy

Re: newbie question on netfilter-conntrack

[Jan Engelhardt]

On Sunday 2010-06-20 13:41, Pete Kay wrote:

>Hi,
>
>I am new to netfilter-conntrack so please excuse me for my simple question.
>
>I am trying to set up a rule such that any UDP packet coming from a
>specific IP:port will be redirected to another IP:port.  Could someone
>please give me an example how this can be done?

Why not just directly connect to the right tuple?

Re: newbie question on netfilter-conntrack

[Pete Kay]

Hi,

I need to do a fast UDP proxy, so i am looking for ways that I can
insert/remove 1000 entries/s.   I tried iptable but it is too slow.
Therefore, I am looking to use conntrack-tool to insert the entry to
see if it can be faster.  Does anyone know if that is possible?  I
have trouble figure out how to use the conntrack-tool's conntrack
command ( -I option).  Can someone please give me an example?

Thanks,
P

On Sun, Jun 20, 2010 at 8:15 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Sunday 2010-06-20 13:41, Pete Kay wrote:
>
>>Hi,
>>
>>I am new to netfilter-conntrack so please excuse me for my simple question.
>>
>>I am trying to set up a rule such that any UDP packet coming from a
>>specific IP:port will be redirected to another IP:port.  Could someone
>>please give me an example how this can be done?
>
> Why not just directly connect to the right tuple?
>

Re: newbie question on netfilter-conntrack

[Pete Kay]

Hi Jan,

Thanks for your hint.  Could you share with me how to "connect to the
right tuple"?

Is there any C library that I can use?

thanks,
P

On Sun, Jun 20, 2010 at 8:15 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Sunday 2010-06-20 13:41, Pete Kay wrote:
>
>>Hi,
>>
>>I am new to netfilter-conntrack so please excuse me for my simple question.
>>
>>I am trying to set up a rule such that any UDP packet coming from a
>>specific IP:port will be redirected to another IP:port.  Could someone
>>please give me an example how this can be done?
>
> Why not just directly connect to the right tuple?
>

Re: newbie question on netfilter-conntrack

[Pete Kay]

Hi,

Sorry for posting multiple times.  This should be my last one.

I modified the conntrack_create_nat.c to redirect udp traffic coming
from a specific IP:port to another IP, but the program gives error,
the result of ret is (-1).  Does anyone know what's wrong?

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>

#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack_udp.h>

int main()
{
	int ret;
	struct nfct_handle *h;
	struct nf_conntrack *ct;

	ct = nfct_new();
	if (!ct) {
		perror("nfct_new");
		return 0;
	}

	nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
	nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("192.168.1.12"));
	nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("192.168.1.102"));
	
	nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_UDP);
	nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(5060));
	nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(5060));

	nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
	//nfct_set_atrr_u8(ct, ATTR_UDP_STATE, UDP_CONNTRACK_SYN_SENT);
	//nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_SYN_SENT);
	nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100);

	nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("192.168.1.13"));

	h = nfct_open(CONNTRACK, 0);

	if (!h) {
		perror("nfct_open");
		return -1;
	}

	ret = nfct_query(h, NFCT_Q_CREATE, ct);

	printf("TEST: create conntrack ");

	if (ret == -1)
		printf("(%d)\n", ret);
	else
		printf("(OK)\n");

	nfct_close(h);

	ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
}

Re: newbie question on netfilter-conntrack

[Pablo Neira Ayuso]

Pete Kay wrote:
> Hi,
> 
> Sorry for posting multiple times.  This should be my last one.
> 
> I modified the conntrack_create_nat.c to redirect udp traffic coming
> from a specific IP:port to another IP, but the program gives error,
> the result of ret is (-1).  Does anyone know what's wrong?

# ./a.out
TEST: create conntrack (OK)
decadence:/tmp# conntrack -L -p udp
udp      17 92 src=192.168.1.12 dst=192.168.1.102 sport=5060 dport=5060
packets=0 bytes=0 [UNREPLIED] src=192.168.1.102 dst=192.168.1.13
sport=5060 dport=5060 packets=0 bytes=0 mark=0 secmark=0 use=2
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.

It works fine here with 2.6.34 and libnetfilter_conntrack 0.0.101