Issue related to conntrack while insert new rule with conntrack command in linux

All of lore.kernel.org
 help / color / mirror / Atom feed

* Issue related to conntrack while insert new rule with conntrack command in linux
@ 2019-04-25  9:22 Mojtaba Esfandiari
  0 siblings, 0 replies; 13+ messages in thread
From: Mojtaba Esfandiari @ 2019-04-25  9:22 UTC (permalink / raw)
  To: netfilter-devel

Hello,
I read conntrack document that you wrote about connection tracking. That 
is great.
I have a issue while i am working on it. For example i just want add new 
rule like this:
conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 
--dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111 
--reply-port-dst 2222 --timeout 30

But it doen't work.
if i insert these two rule in iptable, the same above rule will insert 
in conntrack table automatically and work correctly.
iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242 --dport 
5005 -j DNAT --to 192.168.122.1:1111

iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to 
192.168.122.103:2222
Who can i solve this problem?
With Best regards

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-28  6:29                 ` Mojtaba
@ 2019-04-28  8:02                   ` Mojtaba
  0 siblings, 0 replies; 13+ messages in thread
From: Mojtaba @ 2019-04-28  8:02 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

I found some great related info  in
https://www.netfilter.org/projects/libnetfilter_queue/index.html
Thanks again

On Sun, Apr 28, 2019 at 10:59 AM Mojtaba <mespio@gmail.com> wrote:
>
> Hello Pablo,
> Would you please let me know to make my own libnetfilter_queue
> application ? I need a reference to read more about it and start
> working on it?
> With Best regards.Mojtaba
>
> On Sat, Apr 27, 2019 at 4:00 PM Mojtaba <mespio@gmail.com> wrote:
> >
> > Thanks Pablo,
> > Actually i need this feature for redirect  RTP-media packet beetwen
> > two service. I want to optimize resource consumption by using this
> > feature.
> > All things works right, But i should find the right place to insert
> > this rule in my code, Otherwise if the service got the first packet
> > from end-point while i don't insert the rule,yet. I will face with
> > problem, becasue of the rule was inserted before.
> > Thanks with regards. Mojtaba
> >
> > On Sat, Apr 27, 2019 at 2:13 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > >
> > > On Sat, Apr 27, 2019 at 01:31:40PM +0430, Mojtaba wrote:
> > > > Hello Pablo,
> > > > Just as better understanding, If i want to update using -U option, How
> > > > can i do that?
> > > > Suppose there is this rule in conntrack row:
> > > > udp      17 29 src=192.168.122.242 dst=192.168.122.103 sport=5070
> > > > dport=5005 [UNREPLIED] src=192.168.122.103 dst=192.168.122.242
> > > > sport=5005 dport
> > > > =5070 mark=0 use=1
> > > >
> > > > and i want to update it with this command:
> > > > conntrack -U -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > > > --dport 5005 --dst-nat 192.168.122.1:1111 --src-nat
> > > > 192.168.122.103:2222 --timeout 30
> > > > Actually it was not updated and this issue was raised:
> > > > conntrack v1.4.2 (conntrack-tools): 0 flow entries have been updated.
> > >
> > > You cannot update an existing entry with NATs.
> > >
> > > You can probably make your own libnetfilter_queue application that
> > > allows you to create conntrack entries from packets. If you want to do
> > > custom NAT handling some certain traffic. You will only need to pass
> > > the first packet of the flow to userspace to set up the NAT mangling
> > > you need.
> > >
> > > I would need to learn more on your usecase for this.
> >
> >
> >
> > --
> > --Mojtaba Esfandiari.S
>
>
>
> --
> --Mojtaba Esfandiari.S



-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-27 11:30               ` Mojtaba
@ 2019-04-28  6:29                 ` Mojtaba
  2019-04-28  8:02                   ` Mojtaba
  0 siblings, 1 reply; 13+ messages in thread
From: Mojtaba @ 2019-04-28  6:29 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hello Pablo,
Would you please let me know to make my own libnetfilter_queue
application ? I need a reference to read more about it and start
working on it?
With Best regards.Mojtaba

On Sat, Apr 27, 2019 at 4:00 PM Mojtaba <mespio@gmail.com> wrote:
>
> Thanks Pablo,
> Actually i need this feature for redirect  RTP-media packet beetwen
> two service. I want to optimize resource consumption by using this
> feature.
> All things works right, But i should find the right place to insert
> this rule in my code, Otherwise if the service got the first packet
> from end-point while i don't insert the rule,yet. I will face with
> problem, becasue of the rule was inserted before.
> Thanks with regards. Mojtaba
>
> On Sat, Apr 27, 2019 at 2:13 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Sat, Apr 27, 2019 at 01:31:40PM +0430, Mojtaba wrote:
> > > Hello Pablo,
> > > Just as better understanding, If i want to update using -U option, How
> > > can i do that?
> > > Suppose there is this rule in conntrack row:
> > > udp      17 29 src=192.168.122.242 dst=192.168.122.103 sport=5070
> > > dport=5005 [UNREPLIED] src=192.168.122.103 dst=192.168.122.242
> > > sport=5005 dport
> > > =5070 mark=0 use=1
> > >
> > > and i want to update it with this command:
> > > conntrack -U -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > > --dport 5005 --dst-nat 192.168.122.1:1111 --src-nat
> > > 192.168.122.103:2222 --timeout 30
> > > Actually it was not updated and this issue was raised:
> > > conntrack v1.4.2 (conntrack-tools): 0 flow entries have been updated.
> >
> > You cannot update an existing entry with NATs.
> >
> > You can probably make your own libnetfilter_queue application that
> > allows you to create conntrack entries from packets. If you want to do
> > custom NAT handling some certain traffic. You will only need to pass
> > the first packet of the flow to userspace to set up the NAT mangling
> > you need.
> >
> > I would need to learn more on your usecase for this.
>
>
>
> --
> --Mojtaba Esfandiari.S



-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-27  9:43             ` Pablo Neira Ayuso
@ 2019-04-27 11:30               ` Mojtaba
  2019-04-28  6:29                 ` Mojtaba
  0 siblings, 1 reply; 13+ messages in thread
From: Mojtaba @ 2019-04-27 11:30 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Thanks Pablo,
Actually i need this feature for redirect  RTP-media packet beetwen
two service. I want to optimize resource consumption by using this
feature.
All things works right, But i should find the right place to insert
this rule in my code, Otherwise if the service got the first packet
from end-point while i don't insert the rule,yet. I will face with
problem, becasue of the rule was inserted before.
Thanks with regards. Mojtaba

On Sat, Apr 27, 2019 at 2:13 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Sat, Apr 27, 2019 at 01:31:40PM +0430, Mojtaba wrote:
> > Hello Pablo,
> > Just as better understanding, If i want to update using -U option, How
> > can i do that?
> > Suppose there is this rule in conntrack row:
> > udp      17 29 src=192.168.122.242 dst=192.168.122.103 sport=5070
> > dport=5005 [UNREPLIED] src=192.168.122.103 dst=192.168.122.242
> > sport=5005 dport
> > =5070 mark=0 use=1
> >
> > and i want to update it with this command:
> > conntrack -U -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > --dport 5005 --dst-nat 192.168.122.1:1111 --src-nat
> > 192.168.122.103:2222 --timeout 30
> > Actually it was not updated and this issue was raised:
> > conntrack v1.4.2 (conntrack-tools): 0 flow entries have been updated.
>
> You cannot update an existing entry with NATs.
>
> You can probably make your own libnetfilter_queue application that
> allows you to create conntrack entries from packets. If you want to do
> custom NAT handling some certain traffic. You will only need to pass
> the first packet of the flow to userspace to set up the NAT mangling
> you need.
>
> I would need to learn more on your usecase for this.



-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-27  9:01           ` Mojtaba
@ 2019-04-27  9:43             ` Pablo Neira Ayuso
  2019-04-27 11:30               ` Mojtaba
  0 siblings, 1 reply; 13+ messages in thread
From: Pablo Neira Ayuso @ 2019-04-27  9:43 UTC (permalink / raw)
  To: Mojtaba; +Cc: netfilter-devel

On Sat, Apr 27, 2019 at 01:31:40PM +0430, Mojtaba wrote:
> Hello Pablo,
> Just as better understanding, If i want to update using -U option, How
> can i do that?
> Suppose there is this rule in conntrack row:
> udp      17 29 src=192.168.122.242 dst=192.168.122.103 sport=5070
> dport=5005 [UNREPLIED] src=192.168.122.103 dst=192.168.122.242
> sport=5005 dport
> =5070 mark=0 use=1
>
> and i want to update it with this command:
> conntrack -U -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> --dport 5005 --dst-nat 192.168.122.1:1111 --src-nat
> 192.168.122.103:2222 --timeout 30
> Actually it was not updated and this issue was raised:
> conntrack v1.4.2 (conntrack-tools): 0 flow entries have been updated.

You cannot update an existing entry with NATs.

You can probably make your own libnetfilter_queue application that
allows you to create conntrack entries from packets. If you want to do
custom NAT handling some certain traffic. You will only need to pass
the first packet of the flow to userspace to set up the NAT mangling
you need.

I would need to learn more on your usecase for this.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-26 19:50         ` Mojtaba
@ 2019-04-27  9:01           ` Mojtaba
  2019-04-27  9:43             ` Pablo Neira Ayuso
  0 siblings, 1 reply; 13+ messages in thread
From: Mojtaba @ 2019-04-27  9:01 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hello Pablo,
Just as better understanding, If i want to update using -U option, How
can i do that?
Suppose there is this rule in conntrack row:
udp      17 29 src=192.168.122.242 dst=192.168.122.103 sport=5070
dport=5005 [UNREPLIED] src=192.168.122.103 dst=192.168.122.242
sport=5005 dport
=5070 mark=0 use=1

and i want to update it with this command:
conntrack -U -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
--dport 5005 --dst-nat 192.168.122.1:1111 --src-nat
192.168.122.103:2222 --timeout 30
Actually it was not updated and this issue was raised:
conntrack v1.4.2 (conntrack-tools): 0 flow entries have been updated.

With Best Regards.Mojtaba

On Sat, Apr 27, 2019 at 12:20 AM Mojtaba <mespio@gmail.com> wrote:
>
> Yes, it's perfect. I just forgot to enable ip_forwarding right now.
> the problem was because of it.
> I used this command and it works properly.
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> --dport 5005 --dst-nat 192.168.122.1:1234 --src-nat
> 192.168.122.103:2222 --timeout 30
>
> That's great. Thank you so much Pablo.
> With best regards
>
> On Sat, Apr 27, 2019 at 12:07 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Fri, Apr 26, 2019 at 11:53:29PM +0430, Mojtaba wrote:
> > > Thanks again, It works correctly now. But how can i set  port 1111? I
> > > have just tried like this command but i don’t work and i don't get any
> > > packets on port 1111 in 192.168.122.1:
> > > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > > --dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30
> > >
> > > The packets that i got  on 192.168.122.1 are either port 5070 or port
> > > 5005 like below:
> > > 23:33:38.520746 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
> > > 23:33:38.528807 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
> > >
> > >  Actually i would like get packet on 192.168.122.1 on port 1111 like
> > > this. If i set the two rule of iptables in nat table, i could see the
> > > packet on 192.168.122.1 like below,too
> > > 23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
> > > 23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
> > >
> > > So how can i set --src-nat to 192.168.122.103 and port 2222, too?
> >
> > Does this work?
> >
> > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30
>
>
>
> --
> --Mojtaba Esfandiari.S



-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-26 19:37       ` Pablo Neira Ayuso
@ 2019-04-26 19:50         ` Mojtaba
  2019-04-27  9:01           ` Mojtaba
  0 siblings, 1 reply; 13+ messages in thread
From: Mojtaba @ 2019-04-26 19:50 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Yes, it's perfect. I just forgot to enable ip_forwarding right now.
the problem was because of it.
I used this command and it works properly.
conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
--dport 5005 --dst-nat 192.168.122.1:1234 --src-nat
192.168.122.103:2222 --timeout 30

That's great. Thank you so much Pablo.
With best regards

On Sat, Apr 27, 2019 at 12:07 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Fri, Apr 26, 2019 at 11:53:29PM +0430, Mojtaba wrote:
> > Thanks again, It works correctly now. But how can i set  port 1111? I
> > have just tried like this command but i don’t work and i don't get any
> > packets on port 1111 in 192.168.122.1:
> > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > --dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30
> >
> > The packets that i got  on 192.168.122.1 are either port 5070 or port
> > 5005 like below:
> > 23:33:38.520746 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
> > 23:33:38.528807 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
> >
> >  Actually i would like get packet on 192.168.122.1 on port 1111 like
> > this. If i set the two rule of iptables in nat table, i could see the
> > packet on 192.168.122.1 like below,too
> > 23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
> > 23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
> >
> > So how can i set --src-nat to 192.168.122.103 and port 2222, too?
>
> Does this work?
>
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30



-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-26 19:23     ` Mojtaba
@ 2019-04-26 19:37       ` Pablo Neira Ayuso
  2019-04-26 19:50         ` Mojtaba
  0 siblings, 1 reply; 13+ messages in thread
From: Pablo Neira Ayuso @ 2019-04-26 19:37 UTC (permalink / raw)
  To: Mojtaba; +Cc: netfilter-devel

On Fri, Apr 26, 2019 at 11:53:29PM +0430, Mojtaba wrote:
> Thanks again, It works correctly now. But how can i set  port 1111? I
> have just tried like this command but i don’t work and i don't get any
> packets on port 1111 in 192.168.122.1:
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> --dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30
> 
> The packets that i got  on 192.168.122.1 are either port 5070 or port
> 5005 like below:
> 23:33:38.520746 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
> 23:33:38.528807 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
> 
>  Actually i would like get packet on 192.168.122.1 on port 1111 like
> this. If i set the two rule of iptables in nat table, i could see the
> packet on 192.168.122.1 like below,too
> 23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
> 23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
> 
> So how can i set --src-nat to 192.168.122.103 and port 2222, too?

Does this work?

conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-25 22:45   ` Pablo Neira Ayuso
  2019-04-26 10:22     ` Mojtaba
@ 2019-04-26 19:23     ` Mojtaba
  2019-04-26 19:37       ` Pablo Neira Ayuso
  1 sibling, 1 reply; 13+ messages in thread
From: Mojtaba @ 2019-04-26 19:23 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Thanks again, It works correctly now. But how can i set  port 1111? I
have just tried like this command but i don’t work and i don't get any
packets on port 1111 in 192.168.122.1:
conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
--dport 5005 --dst-nat 192.168.122.1:1234 --timeout 30

The packets that i got  on 192.168.122.1 are either port 5070 or port
5005 like below:
23:33:38.520746 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12
23:33:38.528807 IP 192.168.122.242.5070 > 192.168.122.103.5005: UDP, length 12

 Actually i would like get packet on 192.168.122.1 on port 1111 like
this. If i set the two rule of iptables in nat table, i could see the
packet on 192.168.122.1 like below,too
23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12
23:33:38.528807 IP 192.168.122.103.2222 > 192.168.122.1.1111: UDP, length 12

So how can i set --src-nat to 192.168.122.103 and port 2222, too?
With Best Regards. Mojtaba

On Fri, Apr 26, 2019 at 3:15 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Thu, Apr 25, 2019 at 07:38:20PM +0430, Mojtaba wrote:
> > Hello all
> > I read man conntrack document guide. That is great.
> > I have a issue while i am working on it. For example i just want to insert
> > new rule in conntrack table like this:
> > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > --dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111
> > --reply-port-dst 2222 --timeout 30
> >
> > it successfully inserted but doesn’t work and traffic will be go to INPUT chain.
> > if i insert these two rules in iptables, the same above rules will be inserted
> > in conntrack table automatically and works correctly.(the traffic will
> > be traversed to 192.168.122.1 host)
> > iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242
> > --dport 5005 -j DNAT --to 192.168.122.1:1111
> >
> > iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to
> > 192.168.122.103:2222
>
> Have a look at --dst-nat option, eg.
>
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1 --timeout 30



-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-25 22:45   ` Pablo Neira Ayuso
@ 2019-04-26 10:22     ` Mojtaba
  2019-04-26 19:23     ` Mojtaba
  1 sibling, 0 replies; 13+ messages in thread
From: Mojtaba @ 2019-04-26 10:22 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Thanks, I'll check it out and let you know.
With best regards.Mojtaba

On Fri, Apr 26, 2019 at 3:15 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Thu, Apr 25, 2019 at 07:38:20PM +0430, Mojtaba wrote:
> > Hello all
> > I read man conntrack document guide. That is great.
> > I have a issue while i am working on it. For example i just want to insert
> > new rule in conntrack table like this:
> > conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> > --dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111
> > --reply-port-dst 2222 --timeout 30
> >
> > it successfully inserted but doesn’t work and traffic will be go to INPUT chain.
> > if i insert these two rules in iptables, the same above rules will be inserted
> > in conntrack table automatically and works correctly.(the traffic will
> > be traversed to 192.168.122.1 host)
> > iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242
> > --dport 5005 -j DNAT --to 192.168.122.1:1111
> >
> > iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to
> > 192.168.122.103:2222
>
> Have a look at --dst-nat option, eg.
>
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1 --timeout 30



-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-25 15:08 ` Mojtaba
@ 2019-04-25 22:45   ` Pablo Neira Ayuso
  2019-04-26 10:22     ` Mojtaba
  2019-04-26 19:23     ` Mojtaba
  0 siblings, 2 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2019-04-25 22:45 UTC (permalink / raw)
  To: Mojtaba; +Cc: netfilter-devel

On Thu, Apr 25, 2019 at 07:38:20PM +0430, Mojtaba wrote:
> Hello all
> I read man conntrack document guide. That is great.
> I have a issue while i am working on it. For example i just want to insert
> new rule in conntrack table like this:
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> --dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111
> --reply-port-dst 2222 --timeout 30
> 
> it successfully inserted but doesn’t work and traffic will be go to INPUT chain.
> if i insert these two rules in iptables, the same above rules will be inserted
> in conntrack table automatically and works correctly.(the traffic will
> be traversed to 192.168.122.1 host)
> iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242
> --dport 5005 -j DNAT --to 192.168.122.1:1111
> 
> iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to
> 192.168.122.103:2222

Have a look at --dst-nat option, eg.

conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070 --dport 5005 --dst-nat 192.168.122.1 --timeout 30

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Issue related to conntrack while insert new rule with conntrack command in linux
  2019-04-25 14:59 Mojtaba
@ 2019-04-25 15:08 ` Mojtaba
  2019-04-25 22:45   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 13+ messages in thread
From: Mojtaba @ 2019-04-25 15:08 UTC (permalink / raw)
  To: netfilter-devel

Hello all
I read man conntrack document guide. That is great.
I have a issue while i am working on it. For example i just want to insert
new rule in conntrack table like this:
conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
--dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111
--reply-port-dst 2222 --timeout 30

it successfully inserted but doesn’t work and traffic will be go to INPUT chain.
if i insert these two rules in iptables, the same above rules will be inserted
in conntrack table automatically and works correctly.(the traffic will
be traversed to 192.168.122.1 host)
iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242
--dport 5005 -j DNAT --to 192.168.122.1:1111

iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to
192.168.122.103:2222

Who can i solve this problem?
With Best regards.Mojtaba

On Thu, Apr 25, 2019 at 7:29 PM Mojtaba <mespio@gmail.com> wrote:
>
> Hello all
> I read man conntrack document guide. That is great.
> I have a issue while i am working on it. For example i just want add
> new rule like this:
> conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
> --dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111
> --reply-port-dst 2222 --timeout 30
>
> But it doen't work.
> if i insert these two rule in iptable, the same above rule will insert
> in conntrack table automatically and work correctly.
> iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242
> --dport 5005 -j DNAT --to 192.168.122.1:1111
>
> iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to
> 192.168.122.103:2222
> Who can i solve this problem?
> With Best regards.Mojtaba
>
>
> --
> --Mojtaba Esfandiari.S



-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Issue related to conntrack while insert new rule with conntrack command in linux
@ 2019-04-25 14:59 Mojtaba
  2019-04-25 15:08 ` Mojtaba
  0 siblings, 1 reply; 13+ messages in thread
From: Mojtaba @ 2019-04-25 14:59 UTC (permalink / raw)
  To: netfilter-devel

Hello all
I read man conntrack document guide. That is great.
I have a issue while i am working on it. For example i just want add
new rule like this:
conntrack -I -p udp -s 192.168.122.242 -d 192.168.122.103 --sport 5070
--dport 5005 -r 192.168.122.1 -q 192.168.122.103 --reply-port-src 1111
--reply-port-dst 2222 --timeout 30

But it doen't work.
if i insert these two rule in iptable, the same above rule will insert
in conntrack table automatically and work correctly.
iptables -t nat -A PREROUTING -i eth0 -p udp -s 192.168.122.242
--dport 5005 -j DNAT --to 192.168.122.1:1111

iptables -t nat -A POSTROUTING -p udp --dport 1111 -j SNAT --to
192.168.122.103:2222
Who can i solve this problem?
With Best regards.Mojtaba


-- 
--Mojtaba Esfandiari.S

^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2019-04-28  8:02 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-25  9:22 Issue related to conntrack while insert new rule with conntrack command in linux Mojtaba Esfandiari
2019-04-25 14:59 Mojtaba
2019-04-25 15:08 ` Mojtaba
2019-04-25 22:45   ` Pablo Neira Ayuso
2019-04-26 10:22     ` Mojtaba
2019-04-26 19:23     ` Mojtaba
2019-04-26 19:37       ` Pablo Neira Ayuso
2019-04-26 19:50         ` Mojtaba
2019-04-27  9:01           ` Mojtaba
2019-04-27  9:43             ` Pablo Neira Ayuso
2019-04-27 11:30               ` Mojtaba
2019-04-28  6:29                 ` Mojtaba
2019-04-28  8:02                   ` Mojtaba

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.