Ray Olszewski wrote:
Ah -- yes, now I see what you are getting at. Yet, it's apparently not working....At 11:34 AM 2/12/03 -0800, Tom Eastep wrote:8. (Tricky part.) Peer B now switches to sending UDP packets out the *same* UDP socket to the NAT'd port at Peer A.[...]
9. (Tricky part, part 2.) Peer A now switches to sending UDP packets out the *same* UDP socket to the NAT'd port at Peer B.
The key difference again between ipchains and iptables is that when the destination IP address changes from the EyeBall server to the other Peer, Netfilter considers that to be a NEW CONNECTION whereas ipchains does not. Furthermore, since the source IP, protocol and port duplicate the ones in the peer->server connection tracking entry, that entry is removed! So when UDP packets from the other peer arrive, there is no connection tracking entry that they match and they are considered NEW. Unless there are port forwarding rules in place, these NEW packets are rejected (or probably dropped) by the firewall.
Are you sure? Look at my steps 8 and 9 in closer focus.
8a. Peer B sends the first UDP packet to the NAT'd port at Peer A. This has two effects:
-- starts a NEW outgoing UDP connection on Peer B
-- packet is REJECTed or DENYed at Peer A
9a. Peer A simultaneously sends the first UDP packet to the NAT'd port at Peer B. This has two effects:
-- starts a NEW outgoing UDP connection at Peer A
-- packet is REJECTed or DENYed at Peer B
8b. Peer B sends the second UDP packet to the NAT'd port at Peer A. This:
-- continues the NEW outgoing connection at Peer B created in step 8a.
-- causes the NEW connection at Peer A to become ESTABLISHED, since the response comes from the correct address:port at Peer B
9b. Peer A sends the second UDP packet to the NAT'd port at Peer B. This:
-- continues the NEW outgoing connection at Peer A created in step 9a.
-- causes the NEW connection at Peer B to become ESTABLISHED, since the response comes from the correct address:port at Peer A
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
