LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-16-2015, 01:48 AM   #1
kinghong66
LQ Newbie
 
Registered: Jun 2015
Posts: 2

Rep: Reputation: Disabled
iptables port forward not working for port range mapping to anohter Port range in Linux 2.6.39


Hi All,

I have a issue that the iptables rules not working in below case.
-A PORTFORWARD_NAT_CHAIN -i erouter0 -p tcp -m tcp --dport 2000:2005 -j DNAT --to-destination 192.168.0.20:4000-4005
-A PORTFORWARD_NAT_CHAIN -s 192.168.0.0/24 -d 10.4.2.119/32 -i l2sd0.2 -p tcp -m tcp --dport 2000:2005 -j DNAT --to-destination 192.168.0.20:4000-4005

=> Its current work as below (seem always maps to 4000 port)
10.4.2.119:2000 ==> 192.168.0.20:4000
10.4.2.119:2001 ==> 192.168.0.20:4000
...
10.4.2.119:2005 ==> 192.168.0.20:4000


I would expect below behavior

10.4.2.119:2000 ==> 192.168.0.20:4000
10.4.2.119:2001 ==> 192.168.0.20:4001
10.4.2.119:2002 ==> 192.168.0.20:4002
...
10.4.2.119:2005 ==> 192.168.0.20:4005


Somehow, the rules not have problem in below case


-A PORTFORWARD_NAT_CHAIN -i erouter0 -p tcp -m tcp --dport 2000:2005 -j DNAT --to-destination 192.168.0.20
-A PORTFORWARD_NAT_CHAIN -s 192.168.0.0/24 -d 10.4.2.119/32 -i l2sd0.2 -p tcp -m tcp --dport 2000:2005 -j DNAT --to-destination 192.168.0.20

10.4.2.119:2000 ==> 192.168.0.20:2000
...
10.4.2.119:2005 ==> 192.168.0.20:2005


Any comment or is this a linux iptables limiation? Thanks for your help!

Best Regards
James

Last edited by kinghong66; 06-16-2015 at 03:30 AM. Reason: incomplete
 
Old 06-17-2015, 09:11 AM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,233
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
If you are looking for a one-to-one port match then you are going to have to set up individual rules that way.
By stating a port range iptables is randomly going to pick one.

Your second example works like you want because you are only changing the IP Address not the port.
 
1 members found this post helpful.
Old 06-17-2015, 07:17 PM   #3
kinghong66
LQ Newbie
 
Registered: Jun 2015
Posts: 2

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lazydog View Post
If you are looking for a one-to-one port match then you are going to have to set up individual rules that way.
By stating a port range iptables is randomly going to pick one.

Your second example works like you want because you are only changing the IP Address not the port.
Hi Layzdog,

Thanks for the response, so my understanding is current iptables doesn't support a single iptables rules for 1-1 mapping of port range to another IP port range.
I will try to check if there is any other solution other than using a single iptable rules.

Last edited by kinghong66; 06-17-2015 at 07:18 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPtables : ssh port forwarding one port to another port issue routers Linux - Networking 7 08-07-2018 08:41 AM
I'm lost in IPTABLES PREROUTING, forwarding to another destination port range lithos Linux - Networking 4 08-19-2011 05:01 AM
Debian 6: iptables blocking certain IP ranges on a certain port range templar Linux - Security 1 05-16-2011 11:23 AM
[SOLVED] iptables: rejecting/dropping port range 1000-65535 problem Sum1 Linux - Security 1 01-24-2011 04:51 PM
specifying a range of IP in IPTABLES jomy Linux - Security 1 12-23-2004 07:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration