Join Log in
Score:0
Ricky434 avatar Server

iptables DNAT works for first curl request, then hangs

it flag
Ricky434

I want to forward all packets coming to 192.168.1.10:8070 on interface wlan0 to 10.59.99.4:8080 on interface wg0.

I added these two rules to iptables:

-A PREROUTING -p tcp --destination 192.168.1.10 --dport 8070 -j DNAT --to-destination 10.59.99.4:8080
-A POSTROUTING -p tcp --destination 10.59.99.4 --dport 8080 -j SNAT --to-source 192.168.1.10:8070

Since I'm using ufw as firewall, i set those in /etc/ufw/before.rules

I also set net/ipv4/ip_forward=1 in /etc/ufw/sysctl.conf

I added these rules to ufw: route allow in on wlan0 out on wg0 and route allow in on wg0 out on wlan0 to make sure traffic forwarding between the two interfaces is allowed. I can make them more restrictive but I wanted to be sure ufw rules are not the problem.

With these settings, doing curl 192.168.1.10:8070 works flawlessly for the first time, but if I execute it again it hangs for a few seconds and then fails:

curl -v 192.168.1.10:8070
*   Trying 192.168.1.10:8070...
* connect to 192.168.1.10 port 8070 failed: Timed out
* Failed to connect to 192.168.1.10 port 8070 after 21060 ms: Couldn't connect to server
* Closing connection 0
curl: (28) Failed to connect to 192.168.1.10 port 8070 after 21060 ms: Couldn't connect to server

If I wait a few minutes it works again for the first time and then fails once again.

I tried forwarding packets to a different address on the same interface and the same happens. I also tried setting the header 'Connection: close' to the request, thinking that maybe leaving the connection intact might be causing the problem, but that did not help.

I don't think it's something related to connection state, otherwise the first curl wouldn't work either, since it sends multiple packets back and forth.

With tcpdump I can see that for the second request 192.168.1.10 receives the request from curl, but sends nothing to 10.59.99.4, so maybe the problem lies there.

What could be the reason for this behaviour, how do I fix it?

I tried looking around the internet for this problem but I seem to be the only one to have it. The only thing that seems to come close to it is this, but I think it doesn't apply because it's about REDIRECT, not NAT, and they only can send the first packet, while in my case the first curl request is able to send multiple packets (SYN,ACK,etc.)

29
0 + 0
ufw
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.