iptables !! not sure.

jay123 · 04-25-2007, 02:36 PM

I would appreciate if someone can help me. I am forwarding IP pkts from eth1 to eth2 and eth2 to eth1. I do see all of the TCP traffic with out any problem. However, I do not see any UDP traffic flow. What I really want is to forward all of the TCP as well UDP traffic in both direction.

Here is my configuration:

PC(1) IP: 192.168.0.126/24
|
Linux (Redhat Fedora Core release 4 (Stentz)
Eth1 IP: 192.168.0.100/24 Gt: 192.168.0.126
Eth2 IP: 63.243.29.1/24 Gt: 63.243.29.105
|
PC (2) IP: 63.243.29.105/24

I already enable IP forward by typing following command:

echo 1 >/proc/sys/net/ipv4/ip_forward

I also add below commands, did not help any.

/sbin/iptables -A FORWARD -o eth1 -p udp --dport 1:65500 -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT
/sbin/iptables -A FORWARD -o eth2 -p udp –dport 1:65500 -m state --state ESTABLISHED, RELATED -j ACCEPT

Tks,
Jay

nirmaltom · 04-25-2007, 02:49 PM

hi,
what about the route man?
routeadd command is the one u r missing
route -n shows u all the route.
regards,
Nirmal Tom.

osor · 04-25-2007, 02:52 PM

The ip_forward kernel setting is agnostic with respect to TCP vs. UDP, so I’ll guess the problem is your netfilter setup. Would you please post the output of “iptables-save”?

jay123 · 04-25-2007, 03:40 PM

Not sure what to look for?

[root@localhost ~]# iptables-save

# Generated by iptables-save v1.3.0 on Wed Apr 25 16:36:54 2007
*nat
:OUTPUT ACCEPT [76:5111]
:POSTROUTING ACCEPT [64:4483]
:PREROUTING ACCEPT [395:47727]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT

# Completed on Wed Apr 25 16:36:54 2007
# Generated by iptables-save v1.3.0 on Wed Apr 25 16:36:54 2007

*mangle
:FORWARD ACCEPT [366598:357285585]
:INPUT ACCEPT [8047:10371266]
:OUTPUT ACCEPT [1529:1175654]
:POSTROUTING ACCEPT [368148:358463385]
:PREROUTING ACCEPT [374729:367671472]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
-A PREROUTING -i eth2 -j MARK --set-mark 0x9

COMMIT

# Completed on Wed Apr 25 16:36:54 2007
# Generated by iptables-save v1.3.0 on Wed Apr 25 16:36:54 2007
*filter
:FORWARD ACCEPT [151531:147837839]
:INPUT ACCEPT [2741:3125299]
:OUTPUT ACCEPT [1529:1178350]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -o eth1 -p udp -m udp --dport 1:65500 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth2 -p udp -m udp --dport 1:65500 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

# Completed on Wed Apr 25 16:36:54 2007

jay123 · 04-26-2007, 10:30 AM

I still stuck. Any help I would appreciate.

Tks,
Jay

nirmaltom · 04-26-2007, 12:12 PM

hi,
Are u able to forward the packets when the iptables is stopped?If not then the problem is not with it!
Output of route -n?
regards,
Nirmal Tom.

jay123 · 04-26-2007, 03:58 PM

Thank you sir, Here is my current route table. TCP pkt. goes thru IPforward ports (eth1 and eth2)but no UDP. when UDP traffic comes from eth1 --> eth2 that is where it start dropping. Any suggestion greatly appricated.

[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
63.243.29.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1

jay123 · 04-26-2007, 04:08 PM

hello sir, I did not answer to your question. Yes, I did iptables -F (flush out policy). I see no differnce. For the traffic Yes to TCP, No to UDP.

SlackDaemon · 04-27-2007, 02:19 AM

Quote:

Originally Posted by jay123

/sbin/iptables -A FORWARD -o eth1 -p udp --dport 1:65500 -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT
/sbin/iptables -A FORWARD -o eth2 -p udp –dport 1:65500 -m state --state ESTABLISHED, RELATED -j ACCEPT

Tks,
Jay

Just a sanity check but will the state module work in this case? UDP being a stateless protocol and all. Try the same command without the -m state section:

/sbin/iptables -A FORWARD -o eth1 -p udp --dport 1:65500 -j ACCEPT
/sbin/iptables -A FORWARD -o eth2 -p udp –dport 1:65500 -j ACCEPT

hope this helps.

edit: also what tool are you using to monitor traffic on the interface cards? iptraf will give you traffic information for both TCP and UDP.

nirmaltom · 04-27-2007, 12:36 PM

hi,
u misunderstood,I dont say to flush the rules but i ask to do service iptables stop.
After then if everything works fine, then we shall deal with iptables.

First,this is temporary ,When u restart it will gone

Quote:

echo 1 >/proc/sys/net/ipv4/ip_forward

U have to make entry in /etc/sysctl.conf

That activates only the forwarding feature of kernel.U have to denote the interfaces

For the purpose u can use either routeadd command or an entry in /etc/sysconfig/static-routes like

any net X netmask Y gw Z dev A

It explains any packet destined for X (Ex 192.168.1.0) with subnet mask Y (Ex 255.255.255.0) can be sent out through A (Ex eth0) via the Z gateway.

regards,
Nirmal Tom.

jay123 · 04-30-2007, 12:50 PM

Hello sir,

I typed exactly as you suggested and I still see –m state below in result. Not sure why?

/sbin/iptables -A FORWARD -o eth1 -p udp --dport 1:65500 -j ACCEPT
/sbin/iptables -A FORWARD -o eth2 -p udp –dport 1:65500 -j ACCEPT

- I have also enable IP forward by typing “echo 1 >/proc/sys/net/ipv4/ip_forward”. Not sure if “route add” can help here. I will try next adding route next. Any suggestion?
- I have Video software that can be configure for TCP or UDP. It is server and client base. Typical VOICE traffic and video conference software also used UDP traffic.

Below is iptables-save
---------------------------------------------------------------
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.3.0 on Mon Apr 30 11:55:44 2007
*filter
:FORWARD ACCEPT [31058:29406644]
:INPUT ACCEPT [128:11964]
:OUTPUT ACCEPT [291:135804]
-A FORWARD -o eth1 -p udp -m udp --dport 1:65500 -j ACCEPT
-A FORWARD -o eth2 -p udp -m udp --dport 1:65500 -j ACCEPT
COMMIT
# Completed on Mon Apr 30 11:55:44 2007

----------------------------------------------------------------------

Here I am using tcpdump. Note: UDP pkts are sending from x.x.x.126 to x.x.x.100 unfortunately it is drop.

- 09:39:57.378500 IP 192.168.0.126.4618 > 192.168.0.100.1108: UDP, length 1450
- 09:39:57.378621 IP 192.168.0.126.4618 > 192.168.0.100.1108: UDP, length 1450

- 09:39:57.396023 IP 192.168.0.100.1111 > 192.168.0.126.19000: S 1435452374:1435452374(0)
win 65535 <mss 1460,nop,nop,sackOK>
- 09:39:57.396141 IP 192.168.0.126.19000 > 192.168.0.100.1111: S 1868224046:1868224046(0)
ack 14354 52375 win 17520 <mss 1460,nop,nop,sackOK>
- 09:39:57.396273 IP 192.168.0.100.1111 > 192.168.0.126.19000: . ack 1 win 65535
- 09:39:57.396339 IP 192.168.0.100.1111 > 192.168.0.126.19000: P 1:14(13) ack 1 win 65535
- 09:39:57.396681 IP 192.168.0.126.19000 > 192.168.0.100.1107: F 3076880974:3076880974(0)
ack 41629 65741 win 17503
- 09:39:57.396806 IP 192.168.0.100.1107 > 192.168.0.126.19000: . ack 1 win 65517
- 09:39:57.396813 IP 192.168.0.126.19000 > 192.168.0.100.1111: P 1:13(12) ack 14 win
1750709:39:57.397064 IP 192.168.0.126.4618 > 192.168.0.100.1108: UDP, length 1450
- 09:39:57.397093 IP 192.168.0.100 > 192.168.0.126: icmp 556: 192.168.0.100 udp port 1108 unreachable
- 09:39:57.397099 IP 192.168.0.126.19000 > 192.168.0.100.1111: F 13:13(0) ack 14 win
1750709:39:57.397235 IP 192.168.0.100.1111 > 192.168.0.126.19000: . ack 14 win 65523
- 09:39:57.397364 IP 192.168.0.100.1111 > 192.168.0.126.19000: F 14:14(0) ack 14 win
6552309:39:57.397469 IP 192.168.0.126.19000 > 192.168.0.100.1111: . ack 15 win 17507
- 09:39:57.398676 IP 192.168.0.100.1107 > 192.168.0.126.19000: F 1:1(0) ack 1 win 65517
- 09:39:57.398801 IP 192.168.0.126.19000 > 192.168.0.100.1107: . ack 2 win 17503
- 09:40:16.444849 IP 192.168.0.126.1346 > 229.55.150.208.1345: UDP, length 180
- 09:40:16.445628 IP 192.168.0.126.4619 > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
- 09:40:21.443719 IP 192.168.0.126.4619 > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST