I have a machine that has a DNAT rule that redirects data to neighbouring server:
iptables -t nat -A PREROUTING -p udp -d 10.99.193.116 --dport 54321 -j DNAT --to 10.99.193.115:54321
As can be seen, this rule is triggered quite frequently:
pkts bytes target prot opt in out source destination
192K 19M DNAT udp -- * * 0.0.0.0/0 10.99.193.116 udp dpt:54321 to:10.99.193.115:54321
However, looking at the interface, the redirected packets are not sent out on the interface.
$ tcpdump -i eth0 -n port 54321
17:03:36.553363 IP 172.21.0.159.54321 > 10.99.193.116.54321: UDP, length 82
17:03:37.514257 IP 172.21.0.20.54321 > 10.99.193.116.54321: UDP, length 39
17:03:37.633556 IP 172.21.0.91.54321 > 10.99.193.116.54321: UDP, length 82
17:03:37.678211 IP 172.21.0.196.54321 > 10.99.193.116.54321: UDP, length 68
17:03:38.542620 IP 172.21.0.185.54321 > 10.99.193.116.54321: UDP, length 39
This problem occurred after the machine rebooted for the first time after adding these rules, so presumably there is some difference between then and now. But what? Or is there some kernel bug that means these packets are dropped even tho the counter is incremented?
The machine is a CentOS4 box, Linux 2.6.9-67.0.1.ELsmp.
You also need a FORWARD rule, for example:
and to enable forwarding, of course: