On Thu, Apr 25, 2019 at 07:38:20PM +0430, Mojtaba wrote: > Hello all > I read man conntrack document guide. That is great. > I have a issue while i am working on it. For example i just want to insert > new rule in conntrack table like this: > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 > --dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111 > --reply-port-dst 2222 --timeout 30 > > it successfully inserted but doesn’t work and traffic will be go to INPUT > chain. > if i insert these two rules in iptables, the same above rules will be inserted > in conntrack table automatically and works correctly.(the traffic will > be traversed to 192.168.122.1 host) > iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242 > --dport 5005 -j DNAT --to 192.168.122.1:1111 > > iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to > 192.168.122.103:2222
Have a look at --dst-nat option, eg. conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1 --timeout 30
