OT: Operation not permitted with UDP port SNAT

To: Debian Users <debian-user@lists.debian.org>
Subject: OT: Operation not permitted with UDP port SNAT
From: Nelson Castillo <nelsoneci@gmail.com>
Date: Wed, 28 Oct 2009 11:32:52 -0500
Message-id: <[🔎] 2accc2ff0910280932u429821fbgbd8e8fb21d9915db@mail.gmail.com>

Hello.

I have an issue with udp SNAT. If I try to change the source port of
all UDP packets that go to a given port I get the "sendto: Operation
not permitted" message.

For the tests I used the "talker.c" program.
http://beej.us/guide/bgnet/output/html/multipage/clientserver.html#datagram

Thus if I do:

iptables -F -t nat ; iptables -t nat -A POSTROUTING --protocol udp
--dport 6060 -j SNAT --to-source 192.168.1.107:10000

Then I can send one message only.

$ ./a.out 192.168.1.1 hola
talker: sent 4 bytes to 192.168.1.1
And if I try to send more messages I get the error message.
$ ./a.out 192.168.1.1 hola
talker: sendto: Operation not permitted

If I use a port range I get a predictable issue that (i guess) has to
do with something I don't know about IP/UDP or DNAT. I searched the
web but I didn't manage to find an answer.

#SNAT to a set of 11 ports
# I can only send 11 packets.
iptables -F -t nat ; iptables -t nat -A POSTROUTING --protocol udp
--dport 6060 -j SNAT --to-source 192.168.1.107:10000-10010

$ ./a.out 192.168.1.1 hola
talker: sent 4 bytes to 192.168.1.1
(works 11 times)
$ ./a.out 192.168.1.1 hola
talker: sendto: Operation not permitted

This is what I get in tcpdump for the former test:

00:13:09.921129 IP 192.168.1.107.10003 > 192.168.1.1.6060: UDP, length 4
00:13:10.281108 IP 192.168.1.107.10004 > 192.168.1.1.6060: UDP, length 4
00:13:10.577223 IP 192.168.1.107.10005 > 192.168.1.1.6060: UDP, length 4
00:13:10.856942 IP 192.168.1.107.10006 > 192.168.1.1.6060: UDP, length 4
00:13:11.145302 IP 192.168.1.107.10007 > 192.168.1.1.6060: UDP, length 4
00:13:11.473134 IP 192.168.1.107.10008 > 192.168.1.1.6060: UDP, length 4
00:13:11.809213 IP 192.168.1.107.10009 > 192.168.1.1.6060: UDP, length 4
00:13:12.097163 IP 192.168.1.107.10010 > 192.168.1.1.6060: UDP, length 4
00:13:12.409165 IP 192.168.1.107.10000 > 192.168.1.1.6060: UDP, length 4
00:13:12.705333 IP 192.168.1.107.10001 > 192.168.1.1.6060: UDP, length 4
00:13:13.065146 IP 192.168.1.107.10002 > 192.168.1.1.6060: UDP, length 4

What I am missing?

For this test I used Debian Lenny with Linux 2.6.26-2-amd64 kernel.
These are the relevant modules:

iptable_filter          7424  1
xt_tcpudp               7680  1
iptable_nat             9872  1
nf_nat                 23192  1 iptable_nat
nf_conntrack_ipv4      19352  3 iptable_nat,nf_nat
nf_conntrack           71440  3 iptable_nat,nf_nat,nf_conntrack_ipv4
ip_tables              21520  2 iptable_filter,iptable_nat
x_tables               25224  3 xt_tcpudp,iptable_nat,ip_tables

Cheers,
Nelson.-

PS: I need to to this because I have to interact with a device and the
device makers asked all the UDP messages to go to the same port. I
know it can be solved if I "connect" the socket in userspace and I
send and receive packets on the same port but I cannot change the
actual program that is generating the packets.

Reply to:

Prev by Date: Re: using lame
Next by Date: Re: Single server image distributed clusters still available
Previous by thread: Thoughts about /etc/X11/Xsession and .xsession-errors
Next by thread: Skip file content checking in rsync
Index(es):
- Date
- Thread