The same effect on many servers with various kernel versions.
There are multiple Iptables DNAT rules:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 12345 -j DNAT --to-destination 10.20.30.40:5678
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 23456 -j DNAT --to-destination 10.11.12.13:5789
....
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 34567 -j LOG --log-prefix 'natudp: '
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 34567 -j DNAT --to-destination 10.55.66.77:34567
Problem: UDP rules are not working for incoming requests from eth0.
Packet and bytes counters for them have zero values.
Simplification (removing dport) has no effect.
As result, requests are passed to filter/INPUT chain instead of FORWARD.
No such problem for packets from virtual interfaces (tap, veth) - they are trapped by prerouting rules.
No such problem for TCP.
No such problem for UDP answers.
But incoming UDP requests from eth0 are ignored by prerouting rules at all:
# iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 3 packets, 174 bytes)
pkts bytes target prot opt in out source destination
(testing rules)
2 126 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "prerouting-udp: "
0 0 udp -- * * 1.2.3.4 0.0.0.0/0
0 0 udp -- * * 1.2.3.4 0.0.0.0/0 udp dpt:25826
0 0 udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:25826
0 0 udp -- eth0 * 1.2.3.4 0.0.0.0/0
0 0 udp -- eth0 * 1.2.3.4 0.0.0.0/0 udp dpt:25826
(production rules)
7 412 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 to:10.20.30.40:8080
63 3804 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:56789 to:10.30.40.50:8000
0 0 DNAT udp -- eth0 * 1.2.3.4 0.0.0.0/0 udp dpt:25826 to:10.40.50.60:25826
Any ideas?
