[SOLVED] UDP port forwarding doesn't work

danielhilst · 12-12-2011, 04:05 PM

Hi, I'm trying to forward UDP packages coming from eth1 at port 25826
to an server on my internal network

Here is the rule that I used

Code:

iptables -t nat -A PREROUTING -i eth1 -p udp --dport 25826 -j DNAT --to-destination 192.168.5.13:25826
iptables -A FORWARD -d 192.168.5.13 -j ACCEPT

This rule is simple ignored. Before ppl ask, I have sure
that the packets are coming at that port on that interface

Code:

[root@pax2 ~]# tcpdump -nni eth1 port 25826
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
20:12:23.926427 IP 201.28.214.89.43368 > 10.129.120.47.25826: UDP, length 1326
20:12:23.931575 IP 201.28.214.89.43368 > 10.129.120.47.25826: UDP, length 1300
20:12:23.937244 IP 201.28.214.89.43368 > 10.129.120.47.25826: UDP, length 1331

What I'm missing?

[]'s

eSelix · 12-12-2011, 04:15 PM

Other rules before these denied packets or destination host has own rules? Add logging and check in syslog what is going on, for example:

Code:

iptables -t nat -A PREROUTING -i eth1 -p udp --dport 25826 -j LOG --log-prefix "PREROUTING: "
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 25826 -j DNAT --to-destination 192.168.5.13:25826
iptables -A FORWARD -d 192.168.5.13 -j LOG --log-prefix "FORWARD: "
iptables -A FORWARD -d 192.168.5.13 -j ACCEPT

And you have enabled forwarding in this machine: "echo 1 > /proc/sys/net/ipv4/ip_forward"?

T3RM1NVT0R · 12-12-2011, 04:16 PM

Hi danielhilst,

Did you check where this rule is being place in your iptables list. I just want to make sure that the rule is not placed after explicit deny rule.

danielhilst · 12-13-2011, 06:30 PM

Quote:

Originally Posted by eSelix

Other rules before these denied packets or destination host has own rules? Add logging and check in syslog what is going on, for example:

Code:

iptables -t nat -A PREROUTING -i eth1 -p udp --dport 25826 -j LOG --log-prefix "PREROUTING: "
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 25826 -j DNAT --to-destination 192.168.5.13:25826
iptables -A FORWARD -d 192.168.5.13 -j LOG --log-prefix "FORWARD: "
iptables -A FORWARD -d 192.168.5.13 -j ACCEPT

--log-prefix this is really useful, thanks!!

The problem was not on iptables, I have made a change on collectd configurations file them the things start to work, I can't say why I can see the packages coming with tcpdump but cannot forward it.

Quote:

Originally Posted by eSelix

And you have enabled forwarding in this machine: "echo 1 > /proc/sys/net/ipv4/ip_forward"?

ip_forward was aways enabled...

topher800 · 04-19-2012, 03:48 PM

tcpdump sees the packets because it inserts itself lower than iptables in the network stack.