Hi guys,

I have strange behave of iptables with NAT functionality.

I have element with 2 interfaces:
Eth0 for internal LAN and Eth1 for external networking.
I'm trying to use the NAT functionlity to 'route' UDP messasage (with dedicated port) from internal LAN (Eth0) toward the external network (via Eth1).
I have application that 'generate' continues UDP messages (with dedicated UDP port) in the local LAN (Eth0), that I want to send toward external IP (Eth1).

The problem is:
If the UDP messages start to be receiving by the element after the NAT was configured, the messages are 'routing' properly
But , if the messages start to receiving before the element was configured with NAT functionality, and then the NAT configured, the NAT functionality isn't working.

When I tried to analyze it, in the problematic situation, I've noticed few issues:
1. If I try to generate UDP message with the same UDP port by other application (with different source port) the NAT functionality is working properly for this messages.
2. If I check the netstat -su on the element, the counter of 'unknown port receive' is increament.
3. If I kill the UDP application for dozens of seconds and run it again, the NAT start working properly.

Does anyone have idea why this happanes???, I'm really dispirited.

Thanks.

Can you explain, what do you mean by: "after the NAT was configured" and "the element was configured with NAT functionality"?

Hi,

I means that when the element (called E1) start working (e.g after power-up) the iptables configurations is empty. This done because the content of the configurations depends by external trigger.
While this stage, another element in the local LAN (called E2), start sending UDP messages to E1 with dedicated UDP port. The messages are dropped because no application in E1 is listening to this port - it's OK.
After E1 received the external trigger, the iptables is configured in the NAT table to route UDP messages with dedicated port from internal LAN (eth0) to element in the external LAN (eth1)(called E3). After this configuration done in E2, the UDP messages are not 'routing' to E3.
In other scenario, if E2 configured the NAT tabble and only then E1 start sending the messages - the messages are routed to E3.
In both scenarios, the configuration is identical.

I hope you remember that iptables is stateful firewall as well as NAT.

But all the other tables, except to NAT, are empty without configurations.
Can you explain what is means and how it implicate my setup?

To answer your question I would like to understand what exactly you mean by "the iptables is configured in the NAT table"?

Thanks

Hi again,

I will try to explain it more clearly.
As you probably know, the iptables has 3 types of functionalities,Filter, Mangle and NAT.
In my case I have element that have two interfaces, eth0 (internal LAN) and eth1 (external networking). I want that this element will translate particular messages that recieved from internal LAN (eth0) toward dedicated IP in the external LAN (eth1).
For this purpose I want to use the NAT functionality, it means that all my configurations are related to NAT queue. I'm config it via the Linux shell by using iptables system call (e.g. iptables -A PREROUTING -t nat.....).

Below you can find schematic description and example of the iptables configuration.
The scheme is:
[E1 - eth0] <-> [eth0 - E2 - eth1] <-> [eth1 - E3 - eth0] <-> [eth0 - E4]
E1 should communicate with E4 by unsing particular UDP port (3000).
Elements E2 and E3, for udp port 3000, should translate destination IP address from/to external network.
The configuration I used for that is (as it configured in E2):
iptables -A PREROUTING -t nat -d $e2_internal_ip -i eth0 -p udp --dport 3000 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to $e3_external_ip
iptables -A PREROUTING -t nat -d $e2_external_ip -i eth1 -p udp --dport 3000 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to $e1_internal_ip:2445
This is the only configurations I've set for this purpose.

I hope that the problematic scenario is clear enough in the above postes.

Thank you very much. Now I will probably can help you (I hope).

In your example packets goes through E2, it is transit traffic. It comes input interface, then to NAT, then to router and then goes to FORWARD chain, then to output interface.
And NAT chain here doesn't filter anything, it should keep permanent information about network address translation ONLY. All filtering of transit traffic, you should do in FORWARD chain.
So then you power up E2, it will already know about NAT rules, but filter in forward chain can prevent packetc go farther, then you can modify forward rule, to allow them, and get appropriate result.
Do not forget, that FORWARD filter in both directions, so you need rules for both ways.


Thanks

Hi,

Thanks to your answer, I will check what you suggest to do and update you.
I still want to understand this issue more clearly.

What is the different between scenario which the NAT rules configured first and then the packet are recieving => result the packet to routed properly, to the 'opposite' scenario => result the packets to be filtering?
Does there is any "route cache" that remember that this type of massages were filtered (before the NAT rules) and continues to filtering (also after the NAT rules)?, if it occured, does there is way to flush this cache?
Does the NAT rules not actualy change the packet?

Thanks, Ran.

NAT - network address translation. And it is stateful. It controls state of connection:
--state NEW,RELATED,ESTABLISHED, it also keeps records about connection.
You can go to /proc/net/nf_conntrack, and see it you self.
And of course, it want to see the first packets in connection, then it add a new record and start to monitor it.
And may be it is not really NAT problem, but NAT works together with other iptables modules. And if they were dropping connection, they will drop it, until you start new connection.
NAT changes only addresses, and DNAT module can play this ports.

Hi,

1. The messages type in my case are connectionless (UDP), so consider the connection state is not realy effective.
2. I didn't insert any configuration to other iptables modules (except to NAT), so how can other iptables modules drop the packets?

Thanks.

Go to /proc/net/nf_conntrack, and check.

What are the default policies?

Currently I have no access to the element.
Thanks allot for now , I will check it next week.
Bye.

Hi again,

I'v checked the option to insert DROP rule to filter the messages before the NAT rules are ready (as you recommended).
But I saw that the dropped messages are also inserted into the nat_conntrack monitoring. So, when I insert the NAT rules the packets aren't forwarnig since they still tagged with UNREPLIED.
Only when I stop (manualy) the transmit of the message and cause the enrty counter to decrease and cleared from the table, only then it is working.
I saw that there is option to flush the conntrack table ("conntrack -F"), but I can't use it becuase it supproted from kernel version 2.6.18 and above (I'm using kernel version 2.6.14).

Do you think about another option?

Thanks, Ran

Sorry, but I recommended you to add filer rules to FORWARD chain. And configure NAT as you need ones.
Can you please, explain this more clearly. Especially about dropped messages.


You do not to remove NAT rules. Leave the NAT table alone. Add and remove rules in FORWARD chain.
Because without NAT rules, if send packets to IP eth0 of E2, packets will go to INPUT chain.

Thanks.