Linux – DNAT port range with different internal port range with Iptables

iptableslinuxlinux-networkingnat;

The standard way of DNATing a single port to a different port on an internal network is something like that:

ip(6)tables -t nat -A PREROUTING -i wan0 -p tcp --dport 80 --to-destination 10.0.0.1:8080

If you need a port range you can use -m multiport together with --dports like that:

ip(6)tables -t nat -A PREROUTING -i wan0 -p tcp -m multiport --dports 1000:2000 --to-destination 10.0.0.1

Now what I want to know if you can combine the two techniques to map a port range (for example 1000-2000) to a different one of the same size (for example 12000-13000). Is that possible with Iptables using a kernel no later than Linux 4.1?

Best Answer

To answer your question, yes.

I ran a sample rule on my Debian box...

iptables -t nat -A PREROUTING -i xenbr0 -p tcp --dport 64000:65000 -j DNAT --to 172.16.10.10:61000-62000

... which produced no output, indicating success. I'm running kernel 3.16.0-4-amd64.

Checking the NAT rule via iptables -t nat -vnL PREROUTING, I see the rule is listed...

DNAT       tcp  --  xenbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpts:64000:65000 to:172.16.10.10:61000-62000

MadHatter is correct, you do not need -m multiport for port ranges, only for comma-separated lists of ports. The : is needed in order to specify port ranges for the --dport option, but a - is needed in order to specify port ranges in the DNAT target.

How well this rule will work in practice I cannot say, but theoretically it should accomplish your goal.

More information on DNAT target can be found here.

Hope this helps.

Related Solutions

Linux – Trying to make iptables stateless is causing unforeseen filtering

You have a rule which blocks all incoming traffic:

-A INPUT -j REJECT

And you stop connection tracking, so the rule to accept established connections' packets doesnt work anymore:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

So your DNS packet goes out, is not tracked, and is then rejected by the first rule.

You need to enable tracking for the second rule to work, or add rules to allow incoming traffic from "good" sources.

Iptables – ebtables/iptables/bridge-utils: PREROUTING/FORWARD issue on single-NIC bridge

When filtering on a bridge i think you need to use a different match for the interface in/out, in your case, in i understand your setup correctly, something like

iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD -m physdev --physdev-in eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -m physdev --physdev-out eth0 -j MASQUERADE

I don't think you need to enable ip_forward ... this is a bridge afterall

last but not least

echo 1 > net.bridge.bridge-nf-call-iptables

make sure this is enabled , but it should by default.

Best Answer

Related Solutions

Linux – Trying to make iptables stateless is causing unforeseen filtering

Iptables – ebtables/iptables/bridge-utils: PREROUTING/FORWARD issue on single-NIC bridge

Related Topic