iptables REDIRECT works only for first packet

linux firewall iptables

nat table rules always work only for first packet in connection. Subsequent packets of same connection never traverse nat rule list and only supported by conntrack code

As UDP is connectionless in nature, "connection" here is defined simply by addresses, ports and timeout. So, if second UDP packet with same source port and address and same destination port and address arrives within the timeout, Linux believes it belongs to established "connection" and doensn't evaluate nat rule table for it at all, reusing verdict issued for previous packet.

See here: http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html


This is caused by the fact that iptables applies connection tracking on PREROUTING chain. Whenever a new connection is made, iptables will consult the conntrack cache. If a match was found, no rule will be applied from nat table.

If you want to disable change this behavior, look at NOTRACK target in raw table.

Please, note that this applies even for UDP (which is a connection-less protocol). The first packet is considered as opening connection NEW and the other is a reply ESTABLISHED.

I found a related post on serverfault.

Related

Apache 2 Symbolic link not allowed or link target not accessible
Ganglia doesnt update graph
Raspberry Pi based Hadoop cluster [closed]
Remove a user from ACL completely using PowerShell
OpenVPN client on Windows 7 - cannot add route from config script
Are there any tools to do change management with Active Directory / Group Policy?
SQL Server: Memory Usage High (7GB) + Page File Usage High (7GB) but CPU Usage (2% to10%) [duplicate]
Connect to WEP Wireless Network by command line on Ubuntu
Automatically run PowerShell script at first boot
Pushing IP routes to various VPN clients
Why does doing large deletes, copies, moves on my ZFS NAS block all other IOs?
How to match selinux rules/transitions/labels/etc to modules