How can I forward udp packets between two networks with iptables and iproute2

[Kfir]

Hi All,
I have huge problem that I'm trying to solve for more than a week and I need advice.
My app is a Border Controller (BC) that forward RTP packets between two endpoints in two different networks (it defines the IPs and port dynamically).
Each network has its own default gateway thus each network connects to the BC through its own interface.



Scenario description:

1. Endpoint A (IP=10.20.5.30:16001) send packets to my Border Controller to 10.20.5.50:35004 which is configured on eth0.
2. The Border Controller is already configured with iptables DNAT and SNAT in order to change the IP header as described below.
3. With the help of iproute the packets are routed to Endpoint B (IP=199.203.72.53:1600 through the Border Controller's IP - 172.16.34.51:35006 which is configured on eth1.
4. Packets from endpoint B to A traverse in the exact opposite direction.

Schema:
10.20.5.30:16001(A)<-->10.20.5.254(GW)<-->10.20.5.50:35004(BC_eth0)<-->172.16.34.51:35006(BC_eth1)<-->172.16.0.1(GW)<-->199.203.72.53:16008(B)




As far as I understand the process goes as follow:

1. Packets arrive on the Border Controller and marked by the MARK rule in the mangle table in PREROUTING chain (see output of "iptables –t mangle –nvL")
2. DNAT occur in PREROUTING chain which change the target IP in the IP header (see output of "iptables –t nat –nvL")
3. The routing stage is done by choosing the route according to the mark done in stage 1 (see "ip rule show") or by fallback way to the default route (see "route –n"). Which means go to gateway 172.16.0.1 through eth1 or to 10.20.5.254 through eth0.
4. SNAT occur in POSTROUTING chain which change the source IP in the IP header (see "iptables –t nat –nvL")

The actual result is that packet go from endpoint A (10.20.5.30) to endpoint B (199.203.72.53) through the Border Controller correctly however packet from endpoint B arrive the Border Controller but I can't see them go out (I use wireshark to trace the packets).
These are my iptables and iproute configuration:

* Command: "iptables –t mangle –nvL"
Chain PREROUTING (policy ACCEPT 885K packets, 209M bytes)
pkts bytes target prot opt in out source destination
885K 209M PREDSCP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MARK udp -- * * 10.20.5.30 0.0.0.0/0 udp spt:16001 MARK set 0x3

Chain INPUT (policy ACCEPT 13M packets, 1744M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 41584 packets, 8295K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 868K packets, 202M bytes)
pkts bytes target prot opt in out source destination
868K 202M OUTDSCP all -- * * 0.0.0.0/0 0.0.0.0/0
868K 202M DSCP_EVENTS all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 13M packets, 1813M bytes)
pkts bytes target prot opt in out source destination

Chain DSCP_EVENTS (1 references)
pkts bytes target prot opt in out source destination

Chain OUTDSCP (1 references)
pkts bytes target prot opt in out source destination

Chain PREDSCP (1 references)
pkts bytes target prot opt in out source destination

* Command: "iptables –t nat –nvL"
Chain PREROUTING (policy ACCEPT 32057 packets, 14M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 172.16.34.51 udp dpt:35006 to:10.20.5.30:16001
0 0 DNAT udp -- * * 0.0.0.0/0 10.20.5.50 udp dpt:35004 to:199.203.72.53:16008
Chain POSTROUTING (policy ACCEPT 25661 packets, 1422K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT udp -- * * 0.0.0.0/0 199.203.72.53 udp dpt:16008 to:172.16.34.51:35006
0 0 SNAT udp -- * * 0.0.0.0/0 10.20.5.30 udp dpt:16001 to:10.20.5.50:35004
Chain OUTPUT (policy ACCEPT 25661 packets, 1422K bytes)
pkts bytes target prot opt in out source destination
* Command "ip rule show"
0: from all lookup local
32762: from all fwmark 0x3 lookup eth1_172.16.0.1
32763: from 172.16.34.51 lookup eth1_172.16.0.1
32764: from all fwmark 0x2 lookup eth0_10.20.5.254
32765: from 10.20.5.33 lookup eth0_10.20.5.254
32766: from all lookup main
32767: from all lookup default
* Command "ip route show table eth1_172.16.0.1"
default via 172.16.0.1 dev eth1
* Command "ip route show table eth0_10.20.5.254"
default via 10.20.5.254 dev eth0
* Command "route –n"
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 10.20.5.254 0.0.0.0 UG 0 0 0 eth0

[Kfir]

Hi,

Finally, after spending on that issue so much time, I found the answer.
The rp_filter system parameter was set to true thus blocked all packets that need to pass from one interface to another (note that it was only to one direction).

To solve this you need to run the following command:
echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
or
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

Hope this will help others to solve their problem.