Discussion:
[Shorewall-users] what am i not understanding about DNAT?
Brian J. Murrell
2016-12-06 13:11:31 UTC
Permalink
On my shorewall router there is traffic entering on the tun0 interface
and exiting the br-lan interface. Any packets entering from tun0 with
a destination port of 23768 on a machine on the br-lan interface should
be port-mapped to 5060.

I have the following in my shorewall rules file:

DNAT vpn2 10.75.22.8:5060 udp 23768

Where vpn2 is

vpn2 tun0:10.75.23.0/24,+foo

and 10.75.22.8 is the destination I want to remap from port 23768 to
port 5060. The iptables rule that gets installed is:

Chain PREROUTING (policy ACCEPT 611 packets, 33855 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- tun0 * 10.75.23.0/24 0.0.0.0/0 udp dpt:23768 to:10.75.22.8:5060
0 0 DNAT udp -- tun0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:23768 match-set foo src to:10.75.22.8:5060

Nothing seems to be getting port mapped however. On tun0 we can see:

08:06:18.541475 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:19.042057 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:20.047426 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:22.052565 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472

and on br-lan we can see:

08:06:18.541685 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:18.541902 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768 unreachable, length 508
08:06:19.042266 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:19.042475 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768 unreachable, length 508
08:06:20.047639 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:20.047896 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768 unreachable, length 508
08:06:22.052788 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:22.053093 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768 unreachable, length 508

What is it that I am missing?

As an aside, can I use REDIRECT here or is REDIRECT strictly for port-
mapping on the shorewall host itself? I thought I read otherwise...
that it could be used to map ports on remote (to shorewall) hosts also.

Cheers,
b.
Tom Eastep
2016-12-06 16:21:04 UTC
Permalink
Post by Brian J. Murrell
On my shorewall router there is traffic entering on the tun0
interface and exiting the br-lan interface. Any packets entering
from tun0 with a destination port of 23768 on a machine on the
br-lan interface should be port-mapped to 5060.
DNAT vpn2 10.75.22.8:5060 udp 23768
Where vpn2 is
vpn2 tun0:10.75.23.0/24,+foo
and 10.75.22.8 is the destination I want to remap from port 23768
Chain PREROUTING (policy ACCEPT 611 packets, 33855 bytes) pkts
bytes target prot opt in out source
destination 0 0 DNAT udp -- tun0 *
10.75.23.0/24 0.0.0.0/0 udp dpt:23768
to:10.75.22.8:5060 0 0 DNAT udp -- tun0 *
0.0.0.0/0 0.0.0.0/0 udp dpt:23768 match-set
foo src to:10.75.22.8:5060
08:06:18.541475 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP,
UDP, length 472 08:06:20.047426 IP 10.75.23.212.6060 >
10.75.22.8.23768: UDP, length 472 08:06:22.052565 IP
10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:18.541685 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP,
length 472 08:06:18.541902 IP 10.75.22.8 > 10.75.23.212: ICMP
10.75.22.8 udp port 23768 unreachable, length 508 08:06:19.042266
IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:19.042475 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp
port 23768 unreachable, length 508 08:06:20.047639 IP
10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:20.047896 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp
port 23768 unreachable, length 508 08:06:22.052788 IP
10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:22.053093 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp
port 23768 unreachable, length 508
What is it that I am missing?
As an aside, can I use REDIRECT here or is REDIRECT strictly for
port- mapping on the shorewall host itself? I thought I read
otherwise... that it could be used to map ports on remote (to
shorewall) hosts also.
This is a common problem with UDP. A packet arrives on tun0 before the
DNAT rule is in place, and the resulting conntrack table entry
persists so long as matching packets continue to arrive. You can
remove the offending entry using the 'conntrack' utility.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Brian J. Murrell
2016-12-06 16:38:53 UTC
Permalink
Post by Tom Eastep
This is a common problem with UDP. A packet arrives on tun0 before the
DNAT rule is in place, and the resulting conntrack table entry
persists so long as matching packets continue to arrive. You can
remove the offending entry using the 'conntrack' utility.
Ahhh. Now that you describe it, it makes complete sense, and yes,
indeed, removing the conntrack entry resolved it.

Cheers,
b.

Loading...