8. (Tricky part.) Peer B now switches to sending UDP packets out the *same* UDP socket to the NAT'd port at Peer A.
9. (Tricky part, part 2.) Peer A now switches to sending UDP packets out the *same* UDP socket to the NAT'd port at Peer B.
Those "tricky" parts are standard when using UDP.
Now, there will be some initial timing issues, so each end has to send the other a few "filler" UDP packets to start with. But after a short time, each Peer will have sent a UDP packet to the other and then received a UDP packet from the other ... meeting the definition of "ESTABLISHED" UDP connection in the iptables reference Tom provided.The key difference again between ipchains and iptables is that when the destination IP address changes from the EyeBall server to the other Peer, Netfilter considers that to be a NEW CONNECTION whereas ipchains does not. Furthermore, since the source IP, protocol and port duplicate the ones in the peer->server connection tracking entry, that entry is removed! So when UDP packets from the other peer arrive, there is no connection tracking entry that they match and they are considered NEW. Unless there are port forwarding rules in place, these NEW packets are rejected (or probably dropped) by the firewall.
It seems to me that this should work, if a hidden assumption (the "tricky part") in steps 8 and 9 is true -- namely, that when each Peer's UDP socket switches destination address:port, iptables continues to MASQ it at the same port. I don't know if this is true for iptables (or for ipchains), but if it isn't, I can't come up with a reasonable way for EyeBall Server to figure out what NAT'd port each Peer is using. The Peer itself has no way to know, so it can't tell EyeBall Server. Someone suggested that EyeBall Server port-scans the Peer's external IP address ... but we know how unreliable port scans are for UDP, not to mention how many red flags would go up if they did this routinely ... so I'm skeptical of that guess.
I'm sure that Sean's Bering box is logging these when he tries to connect.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
