iptables: trying to forward UDP traffic

jbbroccard2 · 01-31-2015, 02:01 PM

Hello all,
I am trying to setup a system (192.168.1.91) that will forward UDP traffic (port 6000) from a given host (192.168.1.3) on a given port (6000) to another system (192.168.1.199).

The packet path should look like this:
192.168.1.3:6000 ----udp-----> 192.168.1.91:6000 ----udp----> 192.168.1.199:6000

Here are the commands I use:
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -A PREROUTING -s 192.168.1.3 -p udp --dport 6000 -j DNAT --to-destination 192.168.1.199:6000
iptables -t nat -A POSTROUTING -j MASQUERADE

Basically, nothing really happens when I run these commands the packets arrive on .91 but are not forwarded at all.
Note: all the 3 systems are in the same network, and in fact the third one .199 doesn't even exist which is fine, I am just trying to look at forwarding performance of the .91 system which is a Virtual Machine.

For completeness, I am running CentOS 6.5.

Any help appreciated!

Ser Olmy · 02-05-2015, 07:04 AM

Destination NAT port forwarding to hosts in the same network as the original destination doesn't work. The problem is the return path, which will be asymmetric.

Let's say a client with the IP address 192.168.1.100 attempts to reach the redirected port at 192.168.1.3. The path of the packet in this slightly simplified version of your setup would look like this:

Code:

192.168.1.100 ---udp---> 192.168.1.3:6000 ---udp---> 192.168.1.91:6000

The packet will indeed be NATed by 192.168.1.3 and forwarded to 192.168.1.91. At this point, the packet has a destination address of 192.168.1.91, but the source address is unchanged (192.168.1.100).

For NAT to work, the reply packet has to be sent via 192.168.1.3 in order to be "de-NATed", but there's no reason why 192.168.1.91 would do that. Since 192.168.1.100 is directly reachable (it's in the same network), 192.168.1.91 will just reply to 192.168.1.100. The problem is, 192.168.1.100 is expecting a response from 192.168.1.3, not 192.168.1.91, and will therefore just discard the packet.

You have two options:

Make sure all NAT operations take place on routers, and/or point all forwarded ports to hosts in other networks
Perform destination NAT as well as source NAT, so that the address of the NATing host (192.168.1.3 in this case) is the source address of the packet when it arrives at the final target (192.168.1.91), ensuring that reply packets are forced to take the same path on their way back to the original client.

vikas027 · 07-27-2017, 01:11 AM

I too have a similar requirement.

I have setup an AWS NAT EC2 Instance (instead of managed AWS NAT Gateway) which is working fine and currently, only allows ports 80 and 443.
Now, all traffic from my private subnets gets redirected to my AWS NAT EC2 Instance. I also want to redirect all NTP (UDP) traffic to one of the public NTPs (say 128.138.140.44)

This is the scenario.

10.61.70.10(eth0) - EC2 Instance in Private Subnet (has the IP of NAT Instance as a default Route)
10.61.68.20(eth1, eth0 is disabled) - NAT EC2 Instance in Public Subnet
128.138.140.44 - Public NTP Server utcnist.colorado.edu

My UDP Packet should something like this

Code:

10.61.70.10 ---udp (123)---> 10.61.68.20 ---udp (123)---> 128.138.140.44

I have tried these in vain
http://mattryall.net/blog/2011/09/ud...ing-with-socat
http://brokestream.com/udp_redirect.html
http://wiki.vpsget.com/index.php/For..._with_iptables

Some logs

Code:

root@10.61.70.10:~# ntpdate -uv utcnist.colorado.edu
27 Jul 16:06:42 ntpdate[11764]: ntpdate 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1)
27 Jul 16:06:50 ntpdate[11764]: no server suitable for synchronization found
root@10.61.70.10:~#

root@10.61.68.20:~# ntpdate -uv utcnist.colorado.edu
27 Jul 16:06:30 ntpdate[510]: ntpdate 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1)
27 Jul 16:06:37 ntpdate[510]: adjust time server 128.138.140.44 offset -0.020958 sec
root@10.61.68.20:~#