-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/06/2016 05:11 AM, Brian J. Murrell wrote: > On my shorewall router there is traffic entering on the tun0 > interface and exiting the br-lan interface. Any packets entering > from tun0 with a destination port of 23768 on a machine on the > br-lan interface should be port-mapped to 5060. > > I have the following in my shorewall rules file: > > DNAT vpn2 10.75.22.8:5060 udp 23768 > > Where vpn2 is > > vpn2 tun0:10.75.23.0/24,+foo > > and 10.75.22.8 is the destination I want to remap from port 23768 > to port 5060. The iptables rule that gets installed is: > > Chain PREROUTING (policy ACCEPT 611 packets, 33855 bytes) pkts > bytes target prot opt in out source > destination 0 0 DNAT udp -- tun0 * > 10.75.23.0/24 0.0.0.0/0 udp dpt:23768 > to:10.75.22.8:5060 0 0 DNAT udp -- tun0 * > 0.0.0.0/0 0.0.0.0/0 udp dpt:23768 match-set > foo src to:10.75.22.8:5060 > > Nothing seems to be getting port mapped however. On tun0 we can > see: > > 08:06:18.541475 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, > length 472 08:06:19.042057 IP 10.75.23.212.6060 > 10.75.22.8.23768: > UDP, length 472 08:06:20.047426 IP 10.75.23.212.6060 > > 10.75.22.8.23768: UDP, length 472 08:06:22.052565 IP > 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472 > > and on br-lan we can see: > > 08:06:18.541685 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, > length 472 08:06:18.541902 IP 10.75.22.8 > 10.75.23.212: ICMP > 10.75.22.8 udp port 23768 unreachable, length 508 08:06:19.042266 > IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472 > 08:06:19.042475 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp > port 23768 unreachable, length 508 08:06:20.047639 IP > 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472 > 08:06:20.047896 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp > port 23768 unreachable, length 508 08:06:22.052788 IP > 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472 > 08:06:22.053093 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp > port 23768 unreachable, length 508 > > What is it that I am missing? > > As an aside, can I use REDIRECT here or is REDIRECT strictly for > port- mapping on the shorewall host itself? I thought I read > otherwise... that it could be used to map ports on remote (to > shorewall) hosts also. >
This is a common problem with UDP. A packet arrives on tun0 before the DNAT rule is in place, and the resulting conntrack table entry persists so long as matching packets continue to arrive. You can remove the offending entry using the 'conntrack' utility. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIbBAEBCAAGBQJYRuVwAAoJEJbms/JCOk0Q8ZoP+PTs9IffTBJadVwTTgZbB/Sp KRVKZuJnQOYSUmtomzG1EP3POtQbvZMirSWeB9JxRhXw7Dhv5RXTFbWAAQSrP2x6 m2p7+urhnzCgNAc8LT/UiMPli8ePC4BJ9u6fs2lx+ZsVmKZZOrWV9ibugXmurqBD atN+g9C/QNmsTSkvR+DRYtJFLZfSGkxgk9KHrPOqAbGe+C/JYML6Wtn7vTXGnzV7 XagyVXX/+LyvHPRwNMyCsngAhQbo0jZ0oK3AnnH+dF23jCcxOcUiDNRWmOzgsRaX Xom0nBQJa0RX5zIXRbH10fRikjbURt3OwJm+feikr1eEr1xtZ5Qf9Davhsgk+8Lz mG+UQh+z4Ahrm2bKmPTVwNQKxlX4HuWzL/n/8Ti8kNfPcVISjSSo0EFAP5AYITIl gBLgi3WuduIgK3W717J7rvnXtS/+0wg58uTrhY/KXV2LaXkUiNT53u9r/MfPbXkx dMK9gV10C3q5KJ4yb2kBhm0W/Y1z7FxMq431029vqY+XjS5eOykkAnxUms6kgE5f myu14mDZKhsNCgGHsZ7ZCdKBNxEuovRzERU9PiZZRogG3035NZlLZscFDHRk8UF4 J6UP0R6XAt4Cx4TUx3WpqK3yHV+vTlpZhAon99fh48Y05lehNhbjnBd/g70Bc+CD 0mcKHiLPDRxkU54morU= =e9FB -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
