Re: question about NAT rule

[Pete Kay <petedao@gmail.com>]

Hi,

I guess I may have misunderstood the purpose of the
netfilter-conntrack module.  What I would like to do is to set up a
alot of iptables NAT rules ( > 10K at 500 rules (add/drop)/s).  Using
the system iptables command is not going to be fast enough for me.
All I want is to deliver the packets received from specific IP:port to
another IP:port.  Therefore, I am looking into using
netfilter-conntrack api to actually "set" those rules dynamically.  Is
this the right approach in doing that?

Could someone please give me some suggestions?

Thanks,
P

On Tue, Jun 22, 2010 at 11:10 PM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Pete Kay a écrit :
>>
>> I have the following NAT rule set up :
>>
>> udp      17 12 src=192.168.1.102 dst=192.168.1.140 sport=7390
>> dport=8000 packets=6 bytes=3258 [UNREPLIED] src=192.168.1.140
>> dst=192.168.1.102 sport=10000 dport=9000 packets=0 bytes=0 mark=0
>> secmark=0 use=2
>
> This is not a NAT rule but a conntrack entry.
>
>> What I am expecting to achieve is that when udp packets go from
>> 192.168.1.102:7390 to 192.168.1.140:8000, the conntrack module would
>> redirect the packet to 192.168.1.102:9000, but it is not happening.
>>
>> Does anyone know what is wrong?
>
> It is not happenning because of the above conntrack entry that says
> otherwise and already exists for these packets, so iptables NAT rules
> are ignored. You must first delete the conntrack entry with
> conntrack-tools or by not transmitting related packets until it expires.
> Then the next packet will hit the iptables NAT rules and create a new
> conntrack entry accordingly.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>