Add UDP tip to DNAT solutions

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2018-12-13 10:33:11 -08:00 · 2018-12-13 10:33:11 -08:00 · 2b6d657fb0
commit 2b6d657fb0
parent 668cb6deda
1 changed files with 17 additions and 1 deletions
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@ -244,9 +244,25 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
        work</title>

        <para><emphasis role="bold">Answer:</emphasis> That is usually the
-        result of one of four things:</para>
+        result of one of five things:</para>

        <itemizedlist>
+          <listitem>
+            <para>You are trying to redirect a UDP port and there is already a
+            conntrack table entry for the flow, created via an ACCEPT
+            rule.</para>
+
+            <para>Example:</para>
+
+            <programlisting>        DNAT    loc:192.168.0.2 dmz:192.168.1.3 udp 53</programlisting>
+
+            <para>Assuming that you have installed the
+            <emphasis>conntrack</emphasis> package, you can delete all such
+            conntrack table entries using:</para>
+
+            <programlisting>        conntrack -D -s 192.168.0.2 -p udp --dport 53</programlisting>
+          </listitem>
+
          <listitem>
            <para>You are trying to test from inside your firewall (no, that
            won't work -- see <xref linkend="faq2"/>).</para>