Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables DNAT of outgoing destination port, unexpected behavior
Special Forums IP Networking iptables DNAT of outgoing destination port, unexpected behavior Post 302644439 by cjh19460 on Tuesday 22nd of May 2012 12:16:46 AM
Old 05-22-2012
iptables DNAT of outgoing destination port, unexpected behavior
Not sure if this should be here or in the security section.

I am developing software that dynamically manipulates netfilter/iptables rules (through system() calls of the command strings, I'm not trying to hack the netfilter code). Basically, UDP messages that are sent by an application on, say, port 55555, I have some rules that DNAT that port to some other port calculated from a time and key based algorithm. That port is recalculated every couple of seconds, and the DNAT rule is replaced. The idea here is to have to port number hop periodically.

This all appeared to be working fine, iptables lists showing the DNAT rule changing exactly as expected, until I saw traffic getting through that shouldn't (I'm sending multiple datagrams per second), so I fired up wireshark. What I noticed is this - when the first message goes out, the destination port nicely gets translated to the calculated port. But, after this, when the DNAT rule is dynamically changed, the traffic going across the network (between virtual machines in this experiment) continues to show the first calculated destination port.

I also have noticed that if I stop sending for at least 30 seconds and then restart, the messages start to go out using the port number appropriate for this new time slot. Also, if I stop and restart the sending program, it also picks the first correct DNATed destination port and sticks on that one.

So what appears to be happening here is that there is some persistence to that DNAT first port assignment even though I change the DNAT rule. The persistence appears on both ends, because the recipient is running a parallel algorithm for its DNAT rules that should only be allowing the calculated port but also seems to permit passages on this first calculated port as long as they come no less than 30 seconds apart. After 30 seconds, or after stop and restart of the sending app, the persistence is broken (only to be re-established on the next calculated port number).

I don't understand what is causing this persistence - do "established connections" also apply to UDP traffic? Is there a way to eliminate this persistence, or at least make it a much shorter time?

Here's an example of how I set up the rules (executed programmatically with system()):

Code:
iptables -t nat -N dport-dnat
iptables -t nat -A dport-dnat -p udp --dport 55555 -j DNAT --to-destination :51279
iptables -t nat -I OUTPUT -p udp -j dport-dnat

then in accordance with my timers something like this will be executed:

Code:
iptables -t nat -R dport-dnat -p udp --dport 55555 -j DNAT --to-destination :52871

I always check status, I'm not getting any errors on the calls.

Thanks for any clues.
Last edited by Scrutinizer; 05-22-2012 at 02:07 AM.. Reason: code tags
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

iptables: forwarding a port

I've been googling for a while now, trying to forward port 3000 to port 80.... In the past I used to DLink router to forward port 3000 to 80. I recently finished (well, is it ever done anyhow?) setting up my linux box and got it acting as a router. I want to continue to run Apache on port 80... (1 Reply)
Discussion started by: meeps
1 Replies

2. Solaris

Unexpected df behavior

Hi, I have Sun SPARC Enterprise T5140 with two 2,5" 15rpm 146GB SAS HDD. In friday there were a lot of errors with fs on them. After reconfiguring all seemed to be fine but today I get the following strange behavior of df -kh command and troubles with files, I written on first disk in friday.... (9 Replies)
Discussion started by: Sapfeer
9 Replies

3. Red Hat

DNAT in RHEL 4

dear all i have 3 networks say A, B and C. Network A - 192.168.65.0/24 Network B - 172.192.100.0/24 (Linux Servers) Network C - 192.168.200.0/24 (NMS Server) Net A can access Net B, but Net A can not access Net C directily, Net B can access Net C, i want to access Net C from Net A via Net... (1 Reply)
Discussion started by: surfer24
1 Replies

4. IP Networking

blocking traffic to destination network by port

I am trying to block ALL traffic except when from ports 9100,22,23 to destination network 192.0.0.0 (my WAN): 2 networks 192.0.3.0 with static route to 192.0.0.0 Shouldn't this work?: iptables -A INPUT -p tcp -d 192.0.0.0/24 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -d 192.0.0.0/24... (3 Replies)
Discussion started by: herot
3 Replies

5. Red Hat

Open port with iptables

Hi, What iptables command do I need to run in order to open up the following port for incomming traffic on the following server: # telnet 127.0.0.1 1521 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host: Connection... (3 Replies)
Discussion started by: Duffs22
3 Replies

6. UNIX for Advanced & Expert Users

unexpected behavior bash, set -o vi, history -a, and HISTFILE

I am trying to get my history in sync in multiple bash sections and things aren't working the way I expect. Desired behavior, hitting esc-K in all bash sessions (same userid and machine) will use the same history. Observed behavior: Esc-k shows the history of the current session, rather than... (8 Replies)
Discussion started by: gg48gg
8 Replies

7. UNIX for Dummies Questions & Answers

Launchd-owned processes unexpected behavior

Ok, so I have been struggling with this for a few days and I think I need an explanation of a few things before I go any further. I'm not sure it's possible to do what I'm trying, so before I pull my hair out, here is what I'm doing: I have written a program in LiveCode that sits on our... (2 Replies)
Discussion started by: nextyoyoma
2 Replies

8. Shell Programming and Scripting

Unexpected Echo Behavior

Hello all, I have a basic issue that I can't seem to search for since I'm not sure how to describe the behavior. Could anyone kindly assist the novice? (Sample) File Data: bundle-ppp-1/1.78 bundle-ppp-1/2.80 bundle-ppp-1/1.79 bundle-ppp-1/2.81 bundle-ppp-1/1.80 bundle-ppp-1/2.82... (6 Replies)
Discussion started by: sjrupp
6 Replies

9. Red Hat

iptables help for port 80

Hi I enable the IPtables but port 80 was not working. Below is my active configuration (10 Replies)
Discussion started by: ranjancom2000
10 Replies

10. Red Hat

iptables port forwarding

Hello All, I would like to ask you very kindly with /etc/sysconfig/iptables file I have to setup port forwarding on RHEL6 router. Users from public network must be able to ssh to servers in private network behind RHEL6 router. Problem is that servers in private network must be isolated. My... (2 Replies)
Discussion started by: oidipus
2 Replies

LEARN ABOUT DEBIAN

shorewall6-netmap

SHOREWALL6-NETMAP(5)						  [FIXME: manual]					      SHOREWALL6-NETMAP(5)

NAME

       netmap - Shorewall6 NETMAP definition file

SYNOPSIS

       /etc/shorewall/netmap

DESCRIPTION

       This file is used to map addresses in one network to corresponding addresses in a second network. It was added in Shorewall6 iin 4.4.23.3.

	   Warning
	   To use this file, your kernel and ip6tables must have RAWPOST table support included.

       The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in
       the alternate specification syntax).

       TYPE - {DNAT|SNAT}:{P|O|T}
	   Must be DNAT or SNAT followed by :P, :O or :T to perform stateless NAT. Stateless NAT requires Rawpost Table support in your kernel and
	   iptables (see the output of shorewall6 show capabilities).

	   If DNAT:P, traffic entering INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2.

	   If SNAT:T, traffic leaving INTERFACE with a source address in NET1 has it's source address rewritten to the corresponding address in
	   NET2.

	   If DNAT:O, traffic originating on the firewall and leaving via INTERFACE and addressed to NET1 has its destination address rewritten to
	   the corresponding address in NET2.

	   If DNAT:P, traffic entering via INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in
	   NET2.

	   If SNAT:P, traffic entering via INTERFACE with a destination address in NET1 has it's source address rewritten to the corresponding
	   address in NET2.

	   If SNAT:O, traffic originating on the firewall and leaving via INTERFACE with a source address in NET1 has it's source address
	   rewritten to the corresponding address in NET2.

       NET1 - network-address
	   Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in Shorewall6 4.4.24, exclusion[1] is supported.

       INTERFACE - interface
	   The name of a network interface. The interface must be defined in shorewall6-interfaces[2](5). Shorewall allows loose matches to
	   wildcard entries in shorewall6-interfaces[2](5). For example, ppp0 in this file will match a shorewall6-interfaces[2](8) entry that
	   defines ppp+.

       NET2 - network-address
	   Network in CIDR format

       NET3 - network-address
	   Optional - added in Shorewall 4.4.11. If specified, qualifies INTERFACE. It specifies a SOURCE network for DNAT rules and a DESTINATON
	   network for SNAT rules.

       PROTO (Optional - protocol-number-or-name
	   Only packets specifying this protocol will have their IP header modified.

       DEST PORT(S) (dport) - port-number-or-name-list
	   Destination Ports. An optional comma-separated list of Port names (from services(5)), port numbers or port ranges; if the protocol is
	   icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric type, a numberic type and
	   code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP.

	   If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading "--" (example bit for bit-torrent). If no
	   PORT is given, ipp2p is assumed.

	   An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any
	   of the following field is supplied.

       SOURCE PORT(S) (sport) - port-number-or-name-list
	   Optional source port(s). If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or
	   port ranges.

	   An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the
	   following fields is supplied.

FILES

       /etc/shorewall/netmap

SEE ALSO

       http://shorewall.net/netmap.html

       http://shorewall.net/configuration_file_basics.htm#Pairs

NOTES

	1. exclusion
	   http://www.shorewall.net/manpages6/shorewall6-exclusion.html

	2. shorewall6-interfaces
	   http://www.shorewall.net/manpages6/shorewall6-interfaces.html

[FIXME: source] 						    06/28/2012						      SHOREWALL6-NETMAP(5)
All times are GMT -4. The time now is 10:52 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy