From: sean darcy <seandarcy2@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: where are my udp packets going?
Date: Sun, 16 Nov 2008 16:31:11 -0500 [thread overview]
Message-ID: <gfq3f0$9ot$1@ger.gmane.org> (raw)
In-Reply-To: <492043E5.1080903@plouf.fr.eu.org>
Pascal Hambourg wrote:
> Hello,
>
> sean darcy a écrit :
>> sean darcy wrote:
>>> I'm trying to setup port forwarding for a VOIP server that uses IAX
>>> packets, port 4569:
>>>
>>> + /sbin/iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4569 -j
>>> DNAT --to 10.10.10.180:4569
>>> + /sbin/iptables -A FORWARD -p udp -m state --state NEW -d
>>> 10.10.10.180 --dport 4569 -j ACCEPT
>>>
>>> but the packets aren't showing up at 10.10.10.180.
> [...]
>> Well, they're going to input.
> [...]
>> In other words, it's port forwarding all iax except from 76.
>
> This happens probably because your NAT box started to receive UDP/4569
> packets from 76.zzz.xxx.yyy before the DNAT rule was created and
> continually receives packets since then. The netfilter connection
> tracking created a conntrack entry without any NAT operation so
> subsequent UDP/4569 packets from 76.zzz.xxx.yyy use that same conntrack
> entry and skip the nat chains, until the entry expires. If the box
> continally sees UDP/4569 packets from 76.zzz.xxx.yyy, then the entry
> never expires. If you pull the ethernet wire off eth0 for a couple of
> minutes, the conntrack entry should expire.
>
> Rationale : don't allow any traffic before all rules are created. A
> simple way to achieve it is to create the rules before network
> interfaces are UP.
> --
I was able to shut down the 76. machine, reboot the server, and it
worked. So, thanks.
But all this leaves me puzzled.
My server does NOT generate 4569 packets, and iptables INPUT drops all
from eth0, except for ssh and ESTABLISHED. So how could there be a
conntrack entry?
Is there a way to DNAT traffic before it reaches the conntrack entry?
Can I change the destination in raw/PREROUTING?
Is there a way to flush the conntrack entry? I'd reallly like not to
take the network down if this happens again. It's a very remote machine,
and if ssh didn't come up again, I'd need a new job.
Thanks for the help.
sean
next prev parent reply other threads:[~2008-11-16 21:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-15 21:04 where are my udp packets going? sean darcy
2008-11-15 23:54 ` sean darcy
2008-11-16 16:01 ` Pascal Hambourg
2008-11-16 21:31 ` sean darcy [this message]
2008-11-17 10:28 ` Pascal Hambourg
2008-11-17 16:49 ` sean darcy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='gfq3f0$9ot$1@ger.gmane.org' \
--to=seandarcy2@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox