Re: [Shorewall-users] DNAT broadcast

Mon, 31 Aug 2015 10:30:07 -0700 

On 08/30/2015 03:55 PM, Nerijus Baliunas wrote:
> Hello,
> 
> An application (steam) uses WAN interface to send broadcasts. I set up
> network namespaces so that steam does not see WAN interface:
> 
> ip netns add steam
> ip link add veth0 type veth peer name veth1
> brctl addif br1 veth1
> ip link set veth0 netns steam
> ip netns exec steam ip link set dev veth0 up
> ip link set dev veth1 up
> ip netns exec steam ip link set lo up
> ip netns exec steam ip addr add 192.168.1.11/24 broadcast 192.168.1.255 dev 
> veth0
> ip netns exec steam ip route add default via 192.168.1.10
> 
> Before using namespaces steam sent broadcast packets via WAN interface:
> 23596  73.037108 5.20.215.xx -> 5.20.215.255 UDP 135 Source port: 27036  
> Destination port: 27036
> 
> Now it sends via LAN, but to the wrong broadcast address:
> 252   3.250078 192.168.1.11 -> 5.20.215.255 UDP 136 Source port: 27036  
> Destination port: 27036
> 
> It should send broadcasts to 192.168.1.255 and not 5.20.215.255.
> I don't know how steam knows my WAN broadcast address if I use namespaces.

What is the output of:

        ip netns exec steam ip addr ls
        ip netns exec steam ip route ls
> 
> A question - is it possible to redirect broadcast destined to 5.20.215.255 to 
> 192.168.1.255?
> I quickly tried to use the following rule unsuccessfully:

> DNAT   loc     loc:192.168.1.255       udp     27036   27036   5.20.215.255
> 

Did that rule change the destination address?

You also need to SNAT the broadcasts and to DNAT any responses
(Netfilter doesn't do that automatically).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to