iptables - DNAT, REDIRECT, and RAWDNAT not working on openSUSE 11.4

I am having problems getting iptables with DNAT working. I have searched the Forum and found others having the same problem with no answer. Everything I have found says that what I am doing is correct. REDIRECT and DNAT both shows packets going through the chain but the packets are not being changed. I want to get DNAT or RAWDNAT working, I only used REDIRECT to see if I could get anything changed. Has any body been able to get DNAT RAWDNAT working? If so please let me know what you did

REDIRECT


iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.255 -p udp --dport 9890 -j REDIRECT --to-port 9098

iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8  2816 REDIRECT   udp  --  eth0   any     anywhere             Broadcast.Gig.CTL   udp dpt:9890 redir ports 9098

tcpdump -n -p -i any port 9890
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:42:42.623534 IP 192.168.0.198.50988 > 192.168.0.255.9890: UDP, length 324
14:42:45.130341 IP 192.168.0.198.60625 > 192.168.0.255.9890: UDP, length 324

DNAT


iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.255 -p udp --dport 9890 -j DNAT --to 127.0.0.1:9890

iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 271 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    7  2464 DNAT       udp  --  eth0   any     anywhere             Broadcast.Gig.CTL   udp dpt:9890 to:127.0.0.1:9890

tcpdump -n -p -i any port 9890
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:45:30.587383 IP 192.168.0.198.56084 > 192.168.0.255.9890: UDP, length 324
14:45:33.094140 IP 192.168.0.198.57197 > 192.168.0.255.9890: UDP, length 324

Also tried --to-destination and adding :9890.

RAWDNAT


iptables -t raw -A PREROUTING -i eth0 -d 192.168.0.255 -p udp --dport 9890 -j RAWDNAT --to-destination 127.0.0.1
iptables: No chain/target/match by that name.

RAWDNAT is part of xtables, which is installed. I did get TEE working, so iptables can get targets from xtables.

Thanks you.

Dave W

I am fishing in muddy waters. Perhaps you need to activate -m conntrack

And, according to the man page (line 1782), DNAT goes with --to-destination

confirmed.

Reference of Link: iptables FTP port forwarding

Thank you both for responding to my post. I have already tried --to-destination as you can see from my first post. I also tried adding the port number.

Also tried --to-destination and adding :9890.


iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.255 -p udp --dport 8888 -j DNAT --to-destination 127.0.0.1
Beast:~ # iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   704 DNAT       udp  --  eth0   any     anywhere             Broadcast.Gig.CTL   udp dpt:ddi-udp-1 to:127.0.0.1 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

tcpdump -n -p -i any port 8888
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
07:00:13.423686 IP 192.168.0.198.51745 > 192.168.0.255.8888: UDP, length 324
07:00:15.930347 IP 192.168.0.198.55874 > 192.168.0.255.8888: UDP, length 324
07:00:18.437101 IP 192.168.0.198.41420 > 192.168.0.255.8888: UDP, length 324

As you can see it still does not work. All that man pages and examples on google I have read. says that this should work.

Dave W