Forwarding UDP traffic from one host to another

Question

I have two hosts, each with 2 network interfaces:

host1:
eth0:172.16.125.5
eth1:172.165.8.55

host2:
eth0:172.16.125.6
eth1:172.165.8.56

I want to forward all UDP traffic to host1:eth1 port 1234 to host2:eth1 port 1234, i.e.

172.165.8.55:1234 -> 172.165.8.56:1234

After reading reading related posts here, I enable ipv4_forwarding, and then added the following rules to iptables:

iptables -t nat -A PREROUTING -p udp -d 172.165.8.55 --dport 1234 -j DNAT --to-destination 172.165.8.56:1234
iptables -A FORWARD -p udp -d 172.165.8.56 --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

What I discovered is that only traffic with source IP from the eth1 subnet 172.165.8.x is forwarded. Traffic from anywhere else is not.

So I try the same set of rules to see if I can forward from host1 to host2 using eth0, i.e.

172.16.125.5:1234 -> 172.16.125.6:1234

iptables -t nat -A PREROUTING -p udp -d 172.16.125.5 --dport 1234 -j DNAT --to-destination 172.16.125.6:1234
iptables -A FORWARD -p udp -d 172.16.125.6 --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

On the eth0 interface all traffic from any source IP is forwarded. Why would this not the same way on eth1?

Here is the route table on host1:

172.16.125.0/24 dev eth0  proto kernel  scope link  src 172.16.125.5
172.165.8.0/24 dev eth1  proto kernel  scope link  src 172.165.8.55
default via 172.16.125.1 dev eth0

I noticed that the default route is configured for eth0. Is this why the forwarding works on eth0 and not eth1?

I also notice that there is no route in between eth0 and eth1. Is that why traffic with source IP outside the eth1 subnet cannot be forwarded on eth1?

ADDITIONAL INFO: So the rule in the PREROUTING chain of the nat table does work but the rule in the FORWARD chain of filter table does not. My host does not know how to route traffic to the new destination 192.20.125.56 when source ip is not in that subnet. How can I change that?

score 0 · Answer 1 · answered Mar 14 '21 at 08:56

0

Use iptables -j LOG and tcpdump for debugging what is the issue

-j LOG can be used for NAT and filter tables

you can also use ip route get X.X.X.X to know where the packet would go according to your routing table

answered Mar 14 '21 at 08:56

LinuxEnthusiast

1
2

I am already using tcpdump and -j LOG to troubleshoot. Output tcpdump shows if the forwarding is working or not as I can see the packets entering and leaving each host. That's how I discovered that only traffic with source IP from the subnet 172.165.8.x is forwarded for eth1 while all traffic is forwarded for eth0. -j LOG basically shows the same thing (that the rule in the FORWARD chain only works for traffic from the subnet 172.165.8.x for eth1). Neither one gives any clue as to why? – BillA Mar 15 '21 at 13:09

Forwarding UDP traffic from one host to another

1 Answers1