Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have strange behave of iptables with NAT functionality.
I have element with 2 interfaces:
Eth0 for internal LAN and Eth1 for external networking.
I'm trying to use the NAT functionlity to 'route' UDP messasage (with dedicated port) from internal LAN (Eth0) toward the external network (via Eth1).
I have application that 'generate' continues UDP messages (with dedicated UDP port) in the local LAN (Eth0), that I want to send toward external IP (Eth1).
The problem is:
If the UDP messages start to be receiving by the element after the NAT was configured, the messages are 'routing' properly
But , if the messages start to receiving before the element was configured with NAT functionality, and then the NAT configured, the NAT functionality isn't working.
When I tried to analyze it, in the problematic situation, I've noticed few issues:
1. If I try to generate UDP message with the same UDP port by other application (with different source port) the NAT functionality is working properly for this messages.
2. If I check the netstat -su on the element, the counter of 'unknown port receive' is increament.
3. If I kill the UDP application for dozens of seconds and run it again, the NAT start working properly.
Does anyone have idea why this happanes???, I'm really dispirited.
Hi guys,
...
The problem is:
If the UDP messages start to be receiving by the element after the NAT was configured, the messages are 'routing' properly
But , if the messages start to receiving before the element was configured with NAT functionality, and then the NAT configured, the NAT functionality isn't working.
Thanks.
Can you explain, what do you mean by: "after the NAT was configured" and "the element was configured with NAT functionality"?
I means that when the element (called E1) start working (e.g after power-up) the iptables configurations is empty. This done because the content of the configurations depends by external trigger.
While this stage, another element in the local LAN (called E2), start sending UDP messages to E1 with dedicated UDP port. The messages are dropped because no application in E1 is listening to this port - it's OK.
After E1 received the external trigger, the iptables is configured in the NAT table to route UDP messages with dedicated port from internal LAN (eth0) to element in the external LAN (eth1)(called E3). After this configuration done in E2, the UDP messages are not 'routing' to E3.
In other scenario, if E2 configured the NAT tabble and only then E1 start sending the messages - the messages are routed to E3.
In both scenarios, the configuration is identical.
I will try to explain it more clearly.
As you probably know, the iptables has 3 types of functionalities,Filter, Mangle and NAT.
In my case I have element that have two interfaces, eth0 (internal LAN) and eth1 (external networking). I want that this element will translate particular messages that recieved from internal LAN (eth0) toward dedicated IP in the external LAN (eth1).
For this purpose I want to use the NAT functionality, it means that all my configurations are related to NAT queue. I'm config it via the Linux shell by using iptables system call (e.g. iptables -A PREROUTING -t nat.....).
Below you can find schematic description and example of the iptables configuration.
The scheme is:
[E1 - eth0] <-> [eth0 - E2 - eth1] <-> [eth1 - E3 - eth0] <-> [eth0 - E4] E1 should communicate with E4 by unsing particular UDP port (3000).
Elements E2 and E3, for udp port 3000, should translate destination IP address from/to external network.
The configuration I used for that is (as it configured in E2):
iptables -A PREROUTING -t nat -d $e2_internal_ip -i eth0 -p udp --dport 3000 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to $e3_external_ip
iptables -A PREROUTING -t nat -d $e2_external_ip -i eth1 -p udp --dport 3000 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to $e1_internal_ip:2445
This is the only configurations I've set for this purpose.
I hope that the problematic scenario is clear enough in the above postes.
Thank you very much. Now I will probably can help you (I hope).
In your example packets goes through E2, it is transit traffic. It comes input interface, then to NAT, then to router and then goes to FORWARD chain, then to output interface.
And NAT chain here doesn't filter anything, it should keep permanent information about network address translation ONLY. All filtering of transit traffic, you should do in FORWARD chain.
So then you power up E2, it will already know about NAT rules, but filter in forward chain can prevent packetc go farther, then you can modify forward rule, to allow them, and get appropriate result.
Code:
-A FORWARD -i eth0 <put what you need> -m state --state NEW,RELATED,ESTABLISHED -j <ACCEPT or DROP>
-A FORWARD -i eth1 <put what you need> -m state --state NEW,RELATED,ESTABLISHED -j <ACCEPT or DROP>
Do not forget, that FORWARD filter in both directions, so you need rules for both ways.
Thanks to your answer, I will check what you suggest to do and update you.
I still want to understand this issue more clearly.
What is the different between scenario which the NAT rules configured first and then the packet are recieving => result the packet to routed properly, to the 'opposite' scenario => result the packets to be filtering?
Does there is any "route cache" that remember that this type of massages were filtered (before the NAT rules) and continues to filtering (also after the NAT rules)?, if it occured, does there is way to flush this cache?
Does the NAT rules not actualy change the packet?
NAT - network address translation. And it is stateful. It controls state of connection:
--state NEW,RELATED,ESTABLISHED, it also keeps records about connection.
You can go to /proc/net/nf_conntrack, and see it you self.
And of course, it want to see the first packets in connection, then it add a new record and start to monitor it.
And may be it is not really NAT problem, but NAT works together with other iptables modules. And if they were dropping connection, they will drop it, until you start new connection.
NAT changes only addresses, and DNAT module can play this ports.
1. The messages type in my case are connectionless (UDP), so consider the connection state is not realy effective.
2. I didn't insert any configuration to other iptables modules (except to NAT), so how can other iptables modules drop the packets?
I'v checked the option to insert DROP rule to filter the messages before the NAT rules are ready (as you recommended).
But I saw that the dropped messages are also inserted into the nat_conntrack monitoring. So, when I insert the NAT rules the packets aren't forwarnig since they still tagged with UNREPLIED.
Only when I stop (manualy) the transmit of the message and cause the enrty counter to decrease and cleared from the table, only then it is working.
I saw that there is option to flush the conntrack table ("conntrack -F"), but I can't use it becuase it supproted from kernel version 2.6.18 and above (I'm using kernel version 2.6.14).
I'v checked the option to insert DROP rule to filter the messages before the NAT rules are ready (as you recommended).
Sorry, but I recommended you to add filer rules to FORWARD chain. And configure NAT as you need ones.
Quote:
But I saw that the dropped messages are also inserted into the nat_conntrack monitoring. So, when I insert the NAT rules the packets aren't forwarnig since they still tagged with UNREPLIED.
Only when I stop (manualy) the transmit of the message and cause the enrty counter to decrease and cleared from the table, only then it is working.
I saw that there is option to flush the conntrack table ("conntrack -F"), but I can't use it becuase it supproted from kernel version 2.6.18 and above (I'm using kernel version 2.6.14).
Can you please, explain this more clearly. Especially about dropped messages.
You do not to remove NAT rules. Leave the NAT table alone. Add and remove rules in FORWARD chain.
Because without NAT rules, if send packets to IP eth0 of E2, packets will go to INPUT chain.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.