![]() Iptables -t nat -A PREROUTING -p udp -m mark -mark 1 -j REDIRECT -to-ports 21010Įxample of conntrack results: # conntrack -E -p udp -orig-port-dst 27035 Iptables -t raw -A PREROUTING -m mark -mark 1 -j CT -zone-orig 1 iptables -t raw -A PREROUTING -d dstip/32 -p udp -m udp -dport 27035 -m u32 -u32 -j MARK -set-mark 1 Instead of duplicating the test, a mark will be put in place after the one test done on the packet. Thus usual NAT rules will continue to work and can happen twice instead of once: once for the normal packets and once for the matching packets. ![]() I have two completely different methods to solve this problem: iptables with conntrack zonesĬontrack zones allow multiple conntrack instances (per network namespace).īy adding an orig-zone tag to the packet and thus flow, it's possible to have two conntrack instances splitting the (half created) flow in two parts: the normal packets and the matching packets, each in its own flow. This is due to a query flood that usually freezes up one of our applications, so we offload this query to another program.Īny solutions to this? Been looking around for months without any sort of answer. We have another program listening on this port that replies to this payload. I'm needing to redirect ALL UDP packets containing a certain payload to another port on the same machine. During a small UDP flood, this would cause all udp traffic on the server to halt. This introduced another problem where ALL UDP packets were being set to this. Sudo sysctl -w _conntrack_udp_timeout_stream=0 After some looking around, I managed to solve this issue by setting the following: sudo sysctl -w _conntrack_udp_timeout=0 However, only "new" packets are hitting this NAT rule. This redirects packets containing that payload to our caching programs, this works great. We currently have some rules setup in IPtables that look like the below: -A PREROUTING -d dstip/32 -p udp -m udp -dport 27035 -m u32 -u32 -j REDIRECT -to-ports 21010
0 Comments
Leave a Reply. |