iptables nat not work for sctp

Question

i have a server in internal network and i want to access it from external.

the network is like this: Server A (132.196.28.229) is in external network Server B (10.35.202.24) can access both network Server C (192.168.10.99) is in internal network

So, i configure iptables on Server B to forward all traffic from Server A to Server C

iptables -t nat -A PREROUTING -d 10.35.202.24 -j DNAT --to-destination 192.168.10.99

Then i test it with ping and it works. Tcpdump on Server B, you can see the ping from Server A and target is 10.35.202.24:

15:34:36.366034 IP 132.196.28.229 > 10.35.202.24: ICMP echo request, id 24510, seq 1, length 64
15:34:37.366321 IP 132.196.28.229 > 10.35.202.24: ICMP echo request, id 24510, seq 2, length 64
15:34:38.374983 IP 132.196.28.229 > 10.35.202.24: ICMP echo request, id 24510, seq 3, length 64
15:34:39.374849 IP 132.196.28.229 > 10.35.202.24: ICMP echo request, id 24510, seq 4, length

and Tcpdump on Server C. now the target adress is changed to 192.168.10.99:

15:34:35.741802 IP 132.196.28.229 > 192.168.10.99: ICMP echo request, id 24510, seq 1, length 64
15:34:36.742018 IP 132.196.28.229 > 192.168.10.99: ICMP echo request, id 24510, seq 2, length 64
15:34:37.750633 IP 132.196.28.229 > 192.168.10.99: ICMP echo request, id 24510, seq 3, length 64
15:34:38.750499 IP 132.196.28.229 > 192.168.10.99: ICMP echo request, id 24510, seq 4, length 64

but, same forwarding not work for SCTP message. Here is the INIT message i triggered from Server A:

15:39:18.787145 IP 132.196.28.229.32763 > 10.35.202.24.36412: sctp (1) [INIT] [init tag: 495530240] [rwnd: 62464] [OS: 64] [MIS: 64] [init TSN: 322647100] 
15:39:18.787189 IP 10.35.202.24 > 132.196.28.229: ICMP 10.35.202.24 protocol 132 unreachable, length 76
15:39:21.786640 IP 132.196.28.229.32763 > 10.35.202.24.36412: sctp (1) [INIT] [init tag: 495530240] [rwnd: 62464] [OS: 64] [MIS: 64] [init TSN: 322647100] 
15:39:21.786687 IP 10.35.202.24 > 132.196.28.229: ICMP 10.35.202.24 protocol 132 unreachable, length 76

And i can't capture anything on Server C for sctp. Looks like that the NAT for sctp not work, and due to server B don't have any sctp service on. so the server B reply as unreachable.

I have tested ssh as well. The forwarding works well. so it looks only not working for SCTP!!??

Any suggestion why this happen? is any special configure for sctp i missed?

score 2 · Answer 1 · answered Nov 23 '15 at 11:39

2

I guess you have already installed SCTP, if so, you are probably missing the nf_conntrack_proto_sctp module. This module is required for iptables to work with SCTP. Try this:

# modprobe nf_conntrack_proto_sctp

answered Nov 23 '15 at 11:39

vicentfg

21
3

score 0 · Answer 2 · answered Jul 19 '18 at 13:57

You can check by allowing SCTP port. Here the first messages INIT ad INIT-ACK might work, Please note that other node sends its IP in SCTP INIT-ACK payload. Please check more

https://www.cspsprotocol.com/sctp-protocol-basic-and-advance-sctp-concepts/

iptables nat not work for sctp

2 Answers2