|
iptables port forward not working for port range mapping to anohter Port range in Linux 2.6.39
Hi All,
I have a issue that the iptables rules not working in below case. -A PORTFORWARD_NAT_CHAIN -i erouter0 -p tcp -m tcp --dport 2000:2005 -j DNAT --to-destination 192.168.0.20:4000-4005 -A PORTFORWARD_NAT_CHAIN -s 192.168.0.0/24 -d 10.4.2.119/32 -i l2sd0.2 -p tcp -m tcp --dport 2000:2005 -j DNAT --to-destination 192.168.0.20:4000-4005 => Its current work as below (seem always maps to 4000 port) 10.4.2.119:2000 ==> 192.168.0.20:4000 10.4.2.119:2001 ==> 192.168.0.20:4000 ... 10.4.2.119:2005 ==> 192.168.0.20:4000 I would expect below behavior 10.4.2.119:2000 ==> 192.168.0.20:4000 10.4.2.119:2001 ==> 192.168.0.20:4001 10.4.2.119:2002 ==> 192.168.0.20:4002 ... 10.4.2.119:2005 ==> 192.168.0.20:4005 Somehow, the rules not have problem in below case -A PORTFORWARD_NAT_CHAIN -i erouter0 -p tcp -m tcp --dport 2000:2005 -j DNAT --to-destination 192.168.0.20 -A PORTFORWARD_NAT_CHAIN -s 192.168.0.0/24 -d 10.4.2.119/32 -i l2sd0.2 -p tcp -m tcp --dport 2000:2005 -j DNAT --to-destination 192.168.0.20 10.4.2.119:2000 ==> 192.168.0.20:2000 ... 10.4.2.119:2005 ==> 192.168.0.20:2005 Any comment or is this a linux iptables limiation? Thanks for your help! Best Regards James |
If you are looking for a one-to-one port match then you are going to have to set up individual rules that way.
By stating a port range iptables is randomly going to pick one. Your second example works like you want because you are only changing the IP Address not the port. |
Quote:
Thanks for the response, so my understanding is current iptables doesn't support a single iptables rules for 1-1 mapping of port range to another IP port range. I will try to check if there is any other solution other than using a single iptable rules. |
| All times are GMT -5. The time now is 05:16 AM. |