NAT with Redirect

Graylog Central (peer support)
1

Problem Description

All our stuff is network gear and some of the devices can only use udp/514. I want to send Aruba wireless to udp/5008 and everyone else to udp/5000.

I have this…

iptables -t nat -A PREROUTING -p udp --dport 514 --source 10.30.5.0/24 -j REDIRECT --to-port 5008
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-ports 5000

All my Aruba devices are on 10.30.5.0/24, so this should work for me nicely.

The second line works great. All my general udp/514 traffic gets redirected to udp/5000.

But two problems:

  1. The command
    iptables -t nat -v -L -n --line-number
    …shows no hits on the source-specified NAT line 1.

  2. The new Graylog input filter on udp/5008 shows no messages coming in (probably because the NAT is not working properly yet).

How did you get your setup to work? Are there any additional tweaks you had to do?

Thank you.

Environmental information

Operating system information

centos-linux-release-8.3-1.2011.el8.noarch

Package versions

  • Graylog 4.0.7
  • MongoDB 4.2.14
  • Elasticsearch 7.10.2
2

I also tried reversing the order of the two rules. It seem the more specific rule should come first (as shown in my original post) but I figured I would try it.
The results are no better. It still doesn’t work.

I thought maybe there was a state table and resetting it would help. I tried:

iptables-save > /etc/sysconfig/iptables
service iptables restart

It still doesn’t work.

–Dan

3

Hello,

I might be able to help.

I think its suppose to be.

--to-ports

This worked on my CentOS box

iptables -t nat -A PREROUTING  --source 192.168.1.0/24 -p udp --dport 514 -j REDIRECT --to-ports 5140

Hope that helps

4

Thanks. I think I may have missed the “s” when I was transcribing this in my notes. I do have the full “–to-ports” syntax on both commands. Here is the exact syntax that is in the system.

*mangle
:PREROUTING ACCEPT [534726678:635768193437]
:INPUT ACCEPT [534726678:635768193437]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26441431:497398515947]
:POSTROUTING ACCEPT [26441431:497398515947]
COMMIT
*nat
:PREROUTING ACCEPT [17066:1874069]
:INPUT ACCEPT [19373:2188425]
:POSTROUTING ACCEPT [11179:917158]
:OUTPUT ACCEPT [11179:917158]
-A PREROUTING -s 10.30.5.0/24 -p udp -m udp --dport 514 -j REDIRECT --to-ports 5008
-A PREROUTING -p udp -m udp --dport 514 -j REDIRECT --to-ports 5000
COMMIT
*filter
:INPUT ACCEPT [534726693:635768194484]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26441438:497398517671]
-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 514 -j ACCEPT
COMMIT

Thanks.

5

I posted this question over at serverfaults.com. Someone was kind enough to help.

sudo yum update
sudo yum install conntrack

This utility shows the connection states. Restarting iptabes does not delete any connection state! conntrack -L will show that the state persist and if something was already being translated to upd/5000, it will continue until the sender stops sending packets and the state times out.

conntrack -F

…will flush the state table and cause the new PREROUTING REDIRECT rule to start working.

I don’t know of a way to do this without installing this additional utility.

Epic fail on iptable’s part. This should have been built into iptables. Full dumb.

Thanks everyone for your help!

1 Like
6

Hello,
@danmassa7

Thanks for sharing :smiley: ,
I haven’t had to work with PREROUTTING before in iptables. I’m learning something new also.

I was working the problem with Iptables in my lab. I did notice when I executed PREROUTTING config, and saved my configuration it showed in my iptables saved file. When I tried to remove PREROUTTING and then save my config again, it place it back in my configuration file. :thinking:

This did not work for removing PREROUTING rule.

iptables -t nat -D PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 514 -j REDIRECT --to-ports 5140

All I had to do was execute this :laughing: Took me a few to get it right.

iptables -t nat -F

Your all good, it had me stumped also.

7

For removing rules I found something that works 100%. First list all the rules, including their line number.

iptables -t nat -L -n -v --line-number

You find the line number of the rule you want to delete and then execute:

iptables -t nat -D PREROUTING {rule-number-here}

Works like a champ. I’ve never need to do the -F.

I’ve always been looking for a way to have different extractors for different types of devices, but hit a brick wall when I have multiple devices that all want to use udp/514. Now that I have the NAT REDIRECT working, sky is the limit.

Thanks for your help.

2 Likes
8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.