0

I configure the iptable output chain DNAT conversion by the following command.

iptables -t nat -A OUTPUT -p tcp --dport 5000 -j DNAT --to 10.100.1.10:2048

When I link 10.100.20.4:5000 on the client 10.100.30.5, the traffic is successfully forwarded to 10.100.1.10:2048.

And the client connection addr I received on the server 10.100.1.10 is 10.100.30.5:27929.

Now I want to get the DNAT record through 10.100.30.5:27929 on the client by command conntrack. The command is

# conntrack -L -s 10.100.30.5 -r 10.100.1.10 -u ASSURED
tcp      6 431995 ESTABLISHED src=10.100.30.5 dst=10.100.20.4 sport=27929 dport=5000 src=10.100.1.10 dst=10.100.30.5 sport=2048 dport=27929 [ASSURED] mark=0 secmark=0 use=2
tcp      6 431987 ESTABLISHED src=10.100.30.5 dst=10.100.20.5 sport=59717 dport=5000 src=10.100.1.10 dst=10.100.30.5 sport=2048 dport=27929 [ASSURED] mark=0 secmark=0 use=2

There are two records using port 27929 in the return packet record here, but I want to get only one record.

What should i do to avoid port duplication.

HK S
  • 1
  • The listing has two different connections: From `10.100.30.5` to `10.100.20.4:5000` and from `10.100.30.5` to `10.100.20.5:5000`. This means that something has created these two connections. Does the system have both `.4` and `.5` IP addresses? – Tero Kilkanen Aug 12 '22 at 20:54
  • Yes, both machines 10.100.20.4 and 10.100.20.5 are listening 5000 port. – HK S Aug 17 '22 at 13:17
  • The output of `conntrack` is as expected: There are two separate connections to the same port. Now you need to find out, should there be two separate connections? If yes, then you need to find another criteria for finding the entry. If not, then you need to find out why there is a separate connection. – Tero Kilkanen Aug 17 '22 at 15:48

0 Answers0