iptables REDIRECT Works Only for First Packet: Solution

firewalliptableslinux

i need to redirect all UDP packets with destination port 15000 to port 15001 if the packet contains for example the string test. i have these two simple rules:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 15000 -m string --string 'test' --algo bm -j LOG --log-prefix='[netfilter] '
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 15000 -m string --string 'test' --algo bm -j REDIRECT --to-ports 15001

The strange behaviors:

if the first packet contains test string, redirection is done for
all packets of the connection;
if the first packet of the connection doesn't contains test, redirection is never done even if a subsequent packet contains test

However all packets matching rule are correctly logged.

i tried to add also the track information to the rule:

-m state --state NEW,ESTABLISHED

but the behaviour is the same. Some ideas?

This is the complete iptables ruleset:

filter table:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

nat table:

Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination         
 LOG        udp  --  anywhere             anywhere             udp dpt:15000 STRING match  "test" ALGO name bm TO 65535 LOG level warning prefix "[netfilter] "
 REDIRECT   udp  --  anywhere             anywhere             udp dpt:15000 STRING match  "test" ALGO name bm TO 65535 redir ports 15001

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination         

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         

 Chain POSTROUTING (policy ACCEPT)

mangle table:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

raw table:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Best Answer

nat table rules always work only for first packet in connection. Subsequent packets of same connection never traverse nat rule list and only supported by conntrack code

As UDP is connectionless in nature, "connection" here is defined simply by addresses, ports and timeout. So, if second UDP packet with same source port and address and same destination port and address arrives within the timeout, Linux believes it belongs to established "connection" and doensn't evaluate nat rule table for it at all, reusing verdict issued for previous packet.

See here: http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Linux – Unable to make outbound SNMP connections when IPTables is enabled

You must put

ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

before RH-Firewall-1-INPUT because of on RH-Firewall-1-INPUT rules there is REJECT on the end of line, the iptables read from top to down.

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 2 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

If you want to add using command line, you can use:

 iptables -I OUTPUT 1 -p udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I INPUT 1 -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

It should be like:

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED
 2 RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Linux – Unable to make outbound SNMP connections when IPTables is enabled

Related Topic