LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-31-2015, 02:01 PM   #1
jbbroccard2
LQ Newbie
 
Registered: May 2013
Posts: 5

Rep: Reputation: Disabled
Question iptables: trying to forward UDP traffic


Hello all,
I am trying to setup a system (192.168.1.91) that will forward UDP traffic (port 6000) from a given host (192.168.1.3) on a given port (6000) to another system (192.168.1.199).

The packet path should look like this:
192.168.1.3:6000 ----udp-----> 192.168.1.91:6000 ----udp----> 192.168.1.199:6000

Here are the commands I use:
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -A PREROUTING -s 192.168.1.3 -p udp --dport 6000 -j DNAT --to-destination 192.168.1.199:6000
iptables -t nat -A POSTROUTING -j MASQUERADE

Basically, nothing really happens when I run these commands the packets arrive on .91 but are not forwarded at all.
Note: all the 3 systems are in the same network, and in fact the third one .199 doesn't even exist which is fine, I am just trying to look at forwarding performance of the .91 system which is a Virtual Machine.

For completeness, I am running CentOS 6.5.

Any help appreciated!
 
Old 02-05-2015, 07:04 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,652

Rep: Reputation: Disabled
Destination NAT port forwarding to hosts in the same network as the original destination doesn't work. The problem is the return path, which will be asymmetric.

Let's say a client with the IP address 192.168.1.100 attempts to reach the redirected port at 192.168.1.3. The path of the packet in this slightly simplified version of your setup would look like this:
Code:
192.168.1.100 ---udp---> 192.168.1.3:6000 ---udp---> 192.168.1.91:6000
The packet will indeed be NATed by 192.168.1.3 and forwarded to 192.168.1.91. At this point, the packet has a destination address of 192.168.1.91, but the source address is unchanged (192.168.1.100).

For NAT to work, the reply packet has to be sent via 192.168.1.3 in order to be "de-NATed", but there's no reason why 192.168.1.91 would do that. Since 192.168.1.100 is directly reachable (it's in the same network), 192.168.1.91 will just reply to 192.168.1.100. The problem is, 192.168.1.100 is expecting a response from 192.168.1.3, not 192.168.1.91, and will therefore just discard the packet.

You have two options:
  1. Make sure all NAT operations take place on routers, and/or point all forwarded ports to hosts in other networks
  2. Perform destination NAT as well as source NAT, so that the address of the NATing host (192.168.1.3 in this case) is the source address of the packet when it arrives at the final target (192.168.1.91), ensuring that reply packets are forced to take the same path on their way back to the original client.
 
1 members found this post helpful.
Old 07-27-2017, 01:11 AM   #3
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Rep: Reputation: 107Reputation: 107
Question

I too have a similar requirement.

I have setup an AWS NAT EC2 Instance (instead of managed AWS NAT Gateway) which is working fine and currently, only allows ports 80 and 443.
Now, all traffic from my private subnets gets redirected to my AWS NAT EC2 Instance. I also want to redirect all NTP (UDP) traffic to one of the public NTPs (say 128.138.140.44)

This is the scenario.
  • 10.61.70.10(eth0) - EC2 Instance in Private Subnet (has the IP of NAT Instance as a default Route)
  • 10.61.68.20(eth1, eth0 is disabled) - NAT EC2 Instance in Public Subnet
  • 128.138.140.44 - Public NTP Server utcnist.colorado.edu

My UDP Packet should something like this
Code:
10.61.70.10 ---udp (123)---> 10.61.68.20 ---udp (123)---> 128.138.140.44
I have tried these in vain
http://mattryall.net/blog/2011/09/ud...ing-with-socat
http://brokestream.com/udp_redirect.html
http://wiki.vpsget.com/index.php/For..._with_iptables

Some logs
Code:
root@10.61.70.10:~# ntpdate -uv utcnist.colorado.edu
27 Jul 16:06:42 ntpdate[11764]: ntpdate 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1)
27 Jul 16:06:50 ntpdate[11764]: no server suitable for synchronization found
root@10.61.70.10:~#

root@10.61.68.20:~# ntpdate -uv utcnist.colorado.edu
27 Jul 16:06:30 ntpdate[510]: ntpdate 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1)
27 Jul 16:06:37 ntpdate[510]: adjust time server 128.138.140.44 offset -0.020958 sec
root@10.61.68.20:~#

Last edited by vikas027; 07-27-2017 at 01:26 AM.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
captive portal help using iptables to forward udp 53 (dns) to local nameserver slac-in-the-box Linux - Networking 0 09-07-2011 08:52 PM
iptables: forward traffic through server Swakoo Linux - Networking 3 03-30-2008 11:59 PM
how does IPTABLES -A FORWARD two way traffic without using connection tracking? farhan Linux - Security 4 09-05-2007 12:31 PM
How can I forward all traffic to 10.10.0.10:80 to 10.10.0.20:8080 using IPtables? abefroman Linux - Networking 1 10-06-2005 03:19 PM
iptables forward traffic alaios Linux - Networking 1 09-28-2005 04:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration