LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-05-2016, 11:26 AM   #1
Davisn23
LQ Newbie
 
Registered: Sep 2016
Posts: 5

Rep: Reputation: Disabled
Redirecting packets in NAT with IPTables


We currently do a type of Layer 7 filtering where all packets matching our u32 rule gets redirected to another port that caches information, this happens on our firewall (running Ubuntu with IPtables) before it hits our windows machines.

An example of one of these rules looks like this:
Code:
iptables -A PREROUTING -t nat -d ~dstip~/32 -p udp -m udp --dport ~dstport~ -m u32 --u32 "0x0>>0x16&0x3c@0x8=0xffffffff&&0x0>>0x16&0x3c@0xc=0x54536f75&&0x0>>0x16&0x3c@0x10=0x72636520&&0x0>>0x16&0x3c@0x14=0x456e6769&&0x0>>0x16&0x3c@0x18=0x6e652051&&0x0>>0x16&0x3c@0x1c=0x75657279" -j REDIRECT --to-ports ~redirectport~
This all works great, instead of the packets reaching our windows server and bogging it down from medium sized attacks our caching program will respond to them.

However, I want ALL packets matching that rule to get passed. Currently, only new packets hitting our server will get redirected, IP's and Ports that have already hit our firewall will pass right through.

I found a fix for this, and it was to set both of these to 0:
Code:
sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout_stream=0
sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout=0
This worked great and redirected everything, but even on a small attack <50Mbps IPTables just stops working and drops everything. My Caching program isn't the bottleneck and everything else seems to be working fine.

Any ideas?

edit:
I previously also found some information on it here:
http://serverfault.com/questions/741.../741108#741108

What makes this more odd, is that without the two settings above, we were seeing 300-400Mbps floods that were perfectly being cached by our program without issue as all NEW (spoofed) packets were being redirected anyway.

No luck yet however.

Last edited by Davisn23; 09-05-2016 at 11:31 AM.
 
Old 09-05-2016, 02:39 PM   #2
Davisn23
LQ Newbie
 
Registered: Sep 2016
Posts: 5

Original Poster
Rep: Reputation: Disabled
Oh, I would also like to note that only incoming traffic passes through this firewall, outgoing traffic from our windows machines passes straight to the switch.

I'm unsure if that makes any difference, but I know it affects "stateful" stuff.
 
Old 11-10-2016, 11:16 PM   #3
Davisn23
LQ Newbie
 
Registered: Sep 2016
Posts: 5

Original Poster
Rep: Reputation: Disabled
So this is still a huge issue with no fix being found. I saw using -m conntrack --ctexpire-set to set the individual packets conntrack time but "ctexpire-set" seems to have been removed.

I'm needing packets matching xxxx payload on destination port 27035 to be redirected to another port. NAT seems to be the only way but only the first packet gets redirected. What can I do to solve this?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Multi-WAN Problem with IPROUTE2/IPTABLES - Packets disappear between MANGLE & NAT alpharomeo31 Linux - Kernel 2 10-18-2011 09:12 AM
iptables rules to NAT or FORWARD packets between LAN clients templeton Linux - Networking 5 11-28-2010 09:00 AM
SIP packets mysteriously disappearing when iptables-nat activated juan10dan Linux - Networking 14 09-17-2010 01:54 PM
IPTables Static NAT, 2 networks, unable to forward packets to Port 80 CommanderKang Linux - Networking 1 08-27-2010 03:35 PM
how to nat playstation2 packets ( iptables ) nanoprobe Linux - Networking 1 01-23-2005 12:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration