Re: 2.4.18 NAT Problems with udp packets; kernel doesnt care about changed rules

From: Andreas Beham (
Date: Fri May 03 2002 - 13:58:12 EST

----- Original Message -----
From: "Christian Koenig" <"ChristianK.">
To: "Andreas Beham" <>
Sent: Friday, May 03, 2002 8:54 PM
Subject: Re: 2.4.18 NAT Problems with udp packets; kernel doesnt care about
changed rules

> Hi,
> > Hi,
> >
> > I have a Linux Box configured as Router for my Network. Behind my
> > are several Win/Mac/Linux Clients. Today I tried to play Dungeon Siege
> > on my Notebook (WinXP) which is behind my router with my friend.
> > so the connection looks like the following (did tcpdump, dont have the
> > actual data available though):
> > myNotebook.2302 -> myRouter.someport
> > myRouter.2302 -> Friend.6073 udp blah blah
> > Friend.6073 -> myRouter.2302 udp blah blah
> > myRouter.2302 -> Friend.6073 icmp udp port 2302 unreachable
> >
> > the following line in my fw script does masquerading:
> > $FILTER = /sbin/iptables
> > $EXTINT = ppp0 (most of the time, but it happened under 2.2.x that the
> > kernel went crazy and started naming them ppp0 ppp1 ppp2 ppp3..., hasnt
> > happened in a while)
> >
> > Playing DS over the internet ONLY works with this line added (
> > my notebook):
> > $FILTER -t nat -A PREROUTING -i $EXTINT -p udp -d $EXTIP --dport
> > 2300:2400 -j DNAT --to
> > no else changes need to be made
> >
> > And here comes the next trouble. Flushing all rules and loading again
> > my previous rules + this new one did not change a thing! I had to
> > disconnect from the internet for some seconds and then reconnect and
> > the script again. Only then did the kernel get the changes and route
> > correctly. If I just flushed the rules and reloaded them, the kernel
> > a damn about it and ignores the new rules. For example I had udp
> > directed to I changed it in the script (so that it directs
> > to and reloaded it. Still on tcpdump I could see that the
> > packets went to and not where they should be going
> This is completly normal, because of connection tracking.
> Only the first udp packet is adjusted by the DNAT rule, after this every
> packet, after this the kernel "remembers" that there is a connection
> and the (DS) server on the internet, and routes every packet
> automatically to your machine.
> copy & paste out off the iptables man page:
> This target is only valid in the nat table, in the PREROUTING and
> OUTPUT chains, and user-defined chains which are only
> called from those chains. It specifies that the destination
> of the packet should be modified (and all future
> packets in this connection will also be mangled), and rules should
> cease being examined. It takes one option:
> sorry, but i don't have any idea what you could do about it.
> cu, Christian Koenig.


Thanks for your explanation.
Still I think masquerading has to be automatically done without specifying
DNAT rules, because an outgoing connection was already established.
When the kernel routes to myfriend.6073 then actually packets
from myfriend.6073 should be routed to, not?
If it werent so I could not surf the net from my lan because basically its
the same. is routed to wwwserver.80 and back without
I can play other games just fine aswell over the internet.

Besides, I think the thing with connection tracking isnt all that good when
the kernel doesnt recognize changed rules. Shouldnt changed rules lead to
changed behaviour?


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Tue May 07 2002 - 22:00:20 EST