I've got an embedded Linux device that needs to forward some broadcast packets to another embedded device that is part of the assembly, connected with a dedicated ethernet interface.Only the Linux device is exposed to the network, but I need to receive broadcast packets on the sub-device.
To achieve this I receive the packets on a raw socket, and resend them on the dedicated interface to the other device, spoofing the source and destination address. This works fine, but when the device wants to reply (on a specific port) it comes through the firewall configured with iptables, goes through the forward chain and gets masqueraded as expected, but the source port gets changed to 1024, which looks like implicit source port mapping to me.
The issue is I can't find any other process communicating on that port that would make this occur (checked with netstat).
I've attached a conntrack log for the message passing below.
[NEW] udp 17 30 src=10.1.1.45 dst=10.1.1.83 sport=51702 dport=44818 [UNREPLIED] src=10.1.1.83 dst=10.1.1.45 sport=44818 dport=51702 [NEW] udp 17 30 src=10.0.0.1 dst=10.1.1.45 sport=44818 dport=51702 [UNREPLIED] src=10.1.1.45 dst=10.1.1.83 sport=51702 dport=1024 Does anybody have any ideas on what might be causing this behavior or how to get around it?
A few things I have tried:
- Pared to a basic fw config
- If any ports are open with netstat
netstat -tuln - conntrack -E
- Trying different socket configurations in forwarding script
- Change MASQUERADE to SNAT
iptables -A POSTROUTING -t nat -o $ifc -j SNAT --to-source x.x.x.x
No comments:
Post a Comment