* question about NAT rule
@ 2010-06-22 14:20 Pete Kay
2010-06-22 15:10 ` Pascal Hambourg
0 siblings, 1 reply; 4+ messages in thread
From: Pete Kay @ 2010-06-22 14:20 UTC (permalink / raw)
To: netfilter
Hi,
I have the following NAT rule set up :
udp 17 12 src=192.168.1.102 dst=192.168.1.140 sport=7390
dport=8000 packets=6 bytes=3258 [UNREPLIED] src=192.168.1.140
dst=192.168.1.102 sport=10000 dport=9000 packets=0 bytes=0 mark=0
secmark=0 use=2
What I am expecting to achieve is that when udp packets go from
192.168.1.102:7390 to 192.168.1.140:8000, the conntrack module would
redirect the packet to 192.168.1.102:9000, but it is not happening.
Does anyone know what is wrong?
From wireshark, I am seeing
100 11.732246 192.168.1.140 192.168.1.102 ICMP Destination unreachable
(Port unreachable)
Any help will be greatly appreciated.
Thanks,
P
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: question about NAT rule
2010-06-22 14:20 question about NAT rule Pete Kay
@ 2010-06-22 15:10 ` Pascal Hambourg
2010-06-23 1:57 ` Pete Kay
0 siblings, 1 reply; 4+ messages in thread
From: Pascal Hambourg @ 2010-06-22 15:10 UTC (permalink / raw)
To: netfilter
Hello,
Pete Kay a écrit :
>
> I have the following NAT rule set up :
>
> udp 17 12 src=192.168.1.102 dst=192.168.1.140 sport=7390
> dport=8000 packets=6 bytes=3258 [UNREPLIED] src=192.168.1.140
> dst=192.168.1.102 sport=10000 dport=9000 packets=0 bytes=0 mark=0
> secmark=0 use=2
This is not a NAT rule but a conntrack entry.
> What I am expecting to achieve is that when udp packets go from
> 192.168.1.102:7390 to 192.168.1.140:8000, the conntrack module would
> redirect the packet to 192.168.1.102:9000, but it is not happening.
>
> Does anyone know what is wrong?
It is not happenning because of the above conntrack entry that says
otherwise and already exists for these packets, so iptables NAT rules
are ignored. You must first delete the conntrack entry with
conntrack-tools or by not transmitting related packets until it expires.
Then the next packet will hit the iptables NAT rules and create a new
conntrack entry accordingly.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: question about NAT rule
2010-06-22 15:10 ` Pascal Hambourg
@ 2010-06-23 1:57 ` Pete Kay
2010-06-28 17:42 ` Anatoly Muliarski
0 siblings, 1 reply; 4+ messages in thread
From: Pete Kay @ 2010-06-23 1:57 UTC (permalink / raw)
To: Pascal Hambourg; +Cc: netfilter
Hi,
I guess I may have misunderstood the purpose of the
netfilter-conntrack module. What I would like to do is to set up a
alot of iptables NAT rules ( > 10K at 500 rules (add/drop)/s). Using
the system iptables command is not going to be fast enough for me.
All I want is to deliver the packets received from specific IP:port to
another IP:port. Therefore, I am looking into using
netfilter-conntrack api to actually "set" those rules dynamically. Is
this the right approach in doing that?
Could someone please give me some suggestions?
Thanks,
P
On Tue, Jun 22, 2010 at 11:10 PM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Pete Kay a écrit :
>>
>> I have the following NAT rule set up :
>>
>> udp 17 12 src=192.168.1.102 dst=192.168.1.140 sport=7390
>> dport=8000 packets=6 bytes=3258 [UNREPLIED] src=192.168.1.140
>> dst=192.168.1.102 sport=10000 dport=9000 packets=0 bytes=0 mark=0
>> secmark=0 use=2
>
> This is not a NAT rule but a conntrack entry.
>
>> What I am expecting to achieve is that when udp packets go from
>> 192.168.1.102:7390 to 192.168.1.140:8000, the conntrack module would
>> redirect the packet to 192.168.1.102:9000, but it is not happening.
>>
>> Does anyone know what is wrong?
>
> It is not happenning because of the above conntrack entry that says
> otherwise and already exists for these packets, so iptables NAT rules
> are ignored. You must first delete the conntrack entry with
> conntrack-tools or by not transmitting related packets until it expires.
> Then the next packet will hit the iptables NAT rules and create a new
> conntrack entry accordingly.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: question about NAT rule
2010-06-23 1:57 ` Pete Kay
@ 2010-06-28 17:42 ` Anatoly Muliarski
0 siblings, 0 replies; 4+ messages in thread
From: Anatoly Muliarski @ 2010-06-28 17:42 UTC (permalink / raw)
To: netfilter
2010/6/23 Pete Kay <petedao@gmail.com>:
> Hi,
>
> I guess I may have misunderstood the purpose of the
> netfilter-conntrack module. What I would like to do is to set up a
> alot of iptables NAT rules ( > 10K at 500 rules (add/drop)/s). Using
> the system iptables command is not going to be fast enough for me.
> All I want is to deliver the packets received from specific IP:port to
> another IP:port. Therefore, I am looking into using
> netfilter-conntrack api to actually "set" those rules dynamically. Is
> this the right approach in doing that?
>
> Could someone please give me some suggestions?
Adding/dropping iptables rule for a whole set of 10K rules is a very
time-consuming procedure.
Probably you ought to try to change the algoritm logic. As a way I
suggest using ipset for storing info about IPs and ports and to build
an unchangable set of iptables rules for walking through them in a
binary tree manner.
--
Best regards
Anatoly Muliarski
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-06-28 17:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-22 14:20 question about NAT rule Pete Kay
2010-06-22 15:10 ` Pascal Hambourg
2010-06-23 1:57 ` Pete Kay
2010-06-28 17:42 ` Anatoly Muliarski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).