New rules do not take effect with existing UDP streams

jlinkels · 02-19-2010, 01:20 PM

On my firewall I have DNAT for certain UDP streams. I have set up the DNAT and FORWARD rules:

Code:

#: Redirect port 6006 to TH2
$IPTABLES -A FORWARD -j ACCEPT -d $hst_stratus_th2  -p udp --dport $prt_mdi
$IPTABLES -t nat -A PREROUTING --dst $hst_ext_internet -p udp --dport $prt_mdi -j DNAT --to-destination $hst_stratus_th2:$prt_mdi
#:

These lines are called in a bash script. So far, so good, the redirection works. That is not the question.

However while I am experimenting I want to change the --to-destination. I can change that, but the existing stream continues to be redirected to the old --to-destination.
Worse, the FORWARD rule is changed and applied, so the packets are dnatted to the old host, but disallowed by the FORWARD rule.

Only when I discontinue the UDP stream at the source, wait a certain amount of time and restart the stream, it is DNAT-ted correctly to the new host.

This is awkward of course. The nature of this UDP stream is that it comes in continuously and that I should be able to choose where to send it.

I know that even while UDP is stateless, iptables is stateful in some aspects for UDP streams as it tracks existing connections.

I set up iptables in a bash script, and this script starts with:

Code:

echo "0" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -t mangle -F POSTROUTING
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F OUTPUT
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F

As you see, in desperateness I flush everything except the toilet.

Question: How to I tell iptables to discontinue redirecting the existing stream to one host and start redirecting it to a new host according to a new DNAT rule?

jlinkels

jiobo · 02-19-2010, 01:25 PM

You would have to delete the last rule, and then add the new rule. When you add a rule, unless you specify the rule location, it goes to the end of the list, so the rule before it is run first. You can also put the rule into the right location if you know the rule number to put it into. Read:

Code:

man iptables

jlinkels · 02-19-2010, 02:02 PM

Quote:

Originally Posted by jiobo

You would have to delete the last rule

AFAIK, by flushing all tables and chains I do delete all rules, or isn't that true?

Or is it important, as you say, to insert the new rule in exactly the same place as the old one?

jlinkels

jiobo · 02-19-2010, 03:28 PM

Quote:

Originally Posted by jlinkels

AFAIK, by flushing all tables and chains I do delete all rules, or isn't that true?

You can flush all tables and chains, that is true. Then there are no rules in the tables and chains except the policies.

Code:

iptables -L

jlinkels · 02-19-2010, 04:44 PM

When I have flushed all tables and chains and entered my new rules, and I do iptables -t nat -L and iptables -L I see my new rules. But still they are not applied to the existing stream.

Please don't talk in mysteries and tell me what I do wrong if I flush the tables and enter new rules. Do you mean that when I do iptables -L I should see some stuck rule after flushing? For sure not in the nat table, right?

jlinkels