iptables Problem

Janina Sajka janina at rednote.net
Thu Sep 14 15:58:02 UTC 2006 

Michal Jaegermann writes:
> On Wed, Sep 13, 2006 at 05:26:10PM -0400, Janina Sajka wrote:
> > For some reason the DNAT target isn't working in the following situation.
> > 
> > iptables -t nat -A PRErOUTING -i eth0 -p udp --dport 5060 -j DNAT --to 172.16.32.48
> > 
> > however
> > 
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT 172.16.32.48
> > works just fine.
> > 
> > Any clue?
> 
> My first guess would be that earlier you have a rule which does
> DROP or REJECT on packets to port 5060.  I assume that "PRErOUTING"
> is a copying mistake.  Right?
> 
No, we flushed the ruleset in order to make certain we're isolating the
problem. Furthermore, iptables output suggests it's working, but it
doesn't actually work udp, though tcp works just as it should. Here's
additional output:



iptables -t nat -I PREROUTING -p udp -d 66.92.XXX.XXX/32 --dport 5060 -j DNAT --to-destination 172.23.203.213
iptables -t nat -A PREROUTING -p tcp -d 66.92.XXX.XXX/32 --dport 5060 -j DNAT --to 172.23.203.213
 iptables -t nat -I POSTROUTING -s 172.23.203.213/32 -d 0.0.0.0/0  -j SNAT --to-source 66.92.XXX.XXX


iptables -t filter -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       udp  --  anywhere             sonata.rednote.net  udp dpt:sip to:172.23.203.213
DNAT       tcp  --  anywhere             sonata.rednote.net  tcp dpt:sip to:172.23.203.213

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  172.23.203.213       anywhere            to:66.92.XXX.XXX

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

And yet it doesn't actually nat the connection to 172.23.203.213:5060.  Like I said before I can get port 80 with tcp just fine.

Janina and Frank

>    Michal
> 
> -- 
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe: 
> https://www.redhat.com/mailman/listinfo/fedora-test-list

-- 

Janina Sajka				Phone: +1.202.595.7777
Partner, Capital Accessibility LLC	http://CapitalAccessibility.Com

Marketing the Owasys 22C talking screenless cell phone in the U.S. and Canada--Go to http://ScreenlessPhone.Com to learn more.

Chair, Accessibility Workgroup		Free Standards Group (FSG)
janina at freestandards.org		http://a11y.org

More information about the fedora-test-list mailing list