OT: Operation not permitted with UDP port SNAT
Hello.
I have an issue with udp SNAT. If I try to change the source port of
all UDP packets that go to a given port I get the "sendto: Operation
not permitted" message.
For the tests I used the "talker.c" program.
http://beej.us/guide/bgnet/output/html/multipage/clientserver.html#datagram
Thus if I do:
iptables -F -t nat ; iptables -t nat -A POSTROUTING --protocol udp
--dport 6060 -j SNAT --to-source 192.168.1.107:10000
Then I can send one message only.
$ ./a.out 192.168.1.1 hola
talker: sent 4 bytes to 192.168.1.1
And if I try to send more messages I get the error message.
$ ./a.out 192.168.1.1 hola
talker: sendto: Operation not permitted
If I use a port range I get a predictable issue that (i guess) has to
do with something I don't know about IP/UDP or DNAT. I searched the
web but I didn't manage to find an answer.
#SNAT to a set of 11 ports
# I can only send 11 packets.
iptables -F -t nat ; iptables -t nat -A POSTROUTING --protocol udp
--dport 6060 -j SNAT --to-source 192.168.1.107:10000-10010
$ ./a.out 192.168.1.1 hola
talker: sent 4 bytes to 192.168.1.1
(works 11 times)
$ ./a.out 192.168.1.1 hola
talker: sendto: Operation not permitted
This is what I get in tcpdump for the former test:
00:13:09.921129 IP 192.168.1.107.10003 > 192.168.1.1.6060: UDP, length 4
00:13:10.281108 IP 192.168.1.107.10004 > 192.168.1.1.6060: UDP, length 4
00:13:10.577223 IP 192.168.1.107.10005 > 192.168.1.1.6060: UDP, length 4
00:13:10.856942 IP 192.168.1.107.10006 > 192.168.1.1.6060: UDP, length 4
00:13:11.145302 IP 192.168.1.107.10007 > 192.168.1.1.6060: UDP, length 4
00:13:11.473134 IP 192.168.1.107.10008 > 192.168.1.1.6060: UDP, length 4
00:13:11.809213 IP 192.168.1.107.10009 > 192.168.1.1.6060: UDP, length 4
00:13:12.097163 IP 192.168.1.107.10010 > 192.168.1.1.6060: UDP, length 4
00:13:12.409165 IP 192.168.1.107.10000 > 192.168.1.1.6060: UDP, length 4
00:13:12.705333 IP 192.168.1.107.10001 > 192.168.1.1.6060: UDP, length 4
00:13:13.065146 IP 192.168.1.107.10002 > 192.168.1.1.6060: UDP, length 4
What I am missing?
For this test I used Debian Lenny with Linux 2.6.26-2-amd64 kernel.
These are the relevant modules:
iptable_filter 7424 1
xt_tcpudp 7680 1
iptable_nat 9872 1
nf_nat 23192 1 iptable_nat
nf_conntrack_ipv4 19352 3 iptable_nat,nf_nat
nf_conntrack 71440 3 iptable_nat,nf_nat,nf_conntrack_ipv4
ip_tables 21520 2 iptable_filter,iptable_nat
x_tables 25224 3 xt_tcpudp,iptable_nat,ip_tables
Cheers,
Nelson.-
PS: I need to to this because I have to interact with a device and the
device makers asked all the UDP messages to go to the same port. I
know it can be solved if I "connect" the socket in userspace and I
send and receive packets on the same port but I cannot change the
actual program that is generating the packets.
Reply to: