Conntrack not showing iptables redirected flow

Question

I have a client and server. At Server I have a redirect rule to redirect all incoming flows to port 15006.

Client IP: 10.20.3.53
ServerIP : 10.20.3.63

I have the following iptables rules on the server(10.20.3.63):

# iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 581 packets, 34860 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19191 1160K ISTIO_INBOUND  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
# iptables -t nat -nvL ISTIO_INBOUND
Chain ISTIO_INBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
19188 1151K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:15020
   10  9630 ISTIO_IN_REDIRECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
# iptables -t nat -nvL ISTIO_IN_REDIRECT
Chain ISTIO_IN_REDIRECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   10  9630 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            redir ports 15006

So, when I do a curl from the client (10.20.3.53) to server (10.20.3.63)

I am not able to see the redirected flow in the conntrack table, below is the conntrack table flow:

[NEW] tcp      6 120 SYN_SENT src=10.20.3.53 dst=10.20.3.63 sport=41876 dport=9080 [UNREPLIED] src=10.20.3.63 dst=10.20.3.53 sport=15006 dport=41876
 [UPDATE] tcp      6 60 SYN_RECV src=10.20.3.53 dst=10.20.3.63 sport=41876 dport=9080 src=10.20.3.63 dst=10.20.3.53 sport=15006 dport=41876
 [UPDATE] tcp      6 86400 ESTABLISHED src=10.20.3.53 dst=10.20.3.63 sport=41876 dport=9080 src=10.20.3.63 dst=10.20.3.53 sport=15006 dport=41876 [ASSURED]
 [UPDATE] tcp      6 86400 src=10.20.3.53 dst=10.20.3.63 sport=41876 dport=9080 src=10.20.3.63 dst=10.20.3.53 sport=15006 dport=41876 [ASSURED] mark=61167

I always see the original flow with dport 9080, why can't I see the redirected flow with dport 15006.

Please, can someone help me understand how to get the redirected flow from conntrack.

Because *this* is the way it displays such flows? Redirection doesn't create new flow, it just does what name suggests, redirects packets. Original packet isn't changed in any way, it is only redirected to a socket other than it was originally destined to. Also notice, although it displays dport=9080 on "originating" packets, on the "expected" side it clearly shows it expects replies from port 15006. What is your problem you're trying to solve? — Nikita Kipriyanov, Mar 09 '21 at 20:12
I am trying to get the original dst port, I have Iptable rule to send the packet to the NFQ and in the NFQ code I am querying the conntrack to get the original dst port but when I query using the redirected flow it says no flows found. — Invictus, Mar 10 '21 at 02:28

Conntrack not showing iptables redirected flow

0 Answers0