* Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ?
@ 2002-12-13 0:34 Ranjeet Shetye
2002-12-13 9:02 ` Query.... redirecting traffic Paul Gibson
2002-12-13 12:02 ` Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ? Andrea Rossato
0 siblings, 2 replies; 6+ messages in thread
From: Ranjeet Shetye @ 2002-12-13 0:34 UTC (permalink / raw)
To: netfilter
Reposting without all the MIME attachments - my apologies for the crud
from Outlook. Here's my question again in plaintext.
DNAT:
Is it possible to have a SINGLE (DNAT?) rule that will let me do 1:1
port-forwarding over a range of ports while doing Destination NAT.
e.g. Any incoming connections to 64.1.0.20:100-101 need to be mapped to
172.16.0.100:200-201 for the TCP protocol.
such that a connection to port 101 will ALWAYS map to port 201 and a
connection to port 100 will ALWAYS map to port 200.
Under current DNAT port range scenario, the connection goes to the
lowest port that is free e.g. a port 101 connection will be DNATt'ed to
port 200 if port 200 is free.
The reason for wanting a 1:1 rule is for X windows and other fat port
ranges. Dont want hundreds of rules in there if one can do the job. Can
IPTables do it ? If so how ? If not, I guess I'll have to get in touch
with the developers for tips on a good starting point.
Thanks in advance,
Ranjeet Shetye.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Query.... redirecting traffic
2002-12-13 0:34 Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ? Ranjeet Shetye
@ 2002-12-13 9:02 ` Paul Gibson
2002-12-13 9:47 ` Sander Sneekes
2002-12-13 12:02 ` Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ? Andrea Rossato
1 sibling, 1 reply; 6+ messages in thread
From: Paul Gibson @ 2002-12-13 9:02 UTC (permalink / raw)
To: netfilter
Hello,
I am wondering if netfilter can do the following.....
http connection comes in on 10.10.10.10 port 80, can iptables then redirect
this to go to 192.168.1.1 port 12345 & also allow the returning data to go
back the opposite way ???
We are currently using "redir" to do it and are having some porblems with it
due to an application we run.
TIA
Paul.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Query.... redirecting traffic
2002-12-13 9:02 ` Query.... redirecting traffic Paul Gibson
@ 2002-12-13 9:47 ` Sander Sneekes
2002-12-13 9:57 ` Paul Gibson
0 siblings, 1 reply; 6+ messages in thread
From: Sander Sneekes @ 2002-12-13 9:47 UTC (permalink / raw)
To: paul.gibson; +Cc: Netfilter
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.1 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 80 -d 10.10.10.10 -j DNAT
--to
192.168.1.1:12345
On Fri, 2002-12-13 at 10:02, Paul Gibson wrote:
> Hello,
>
> I am wondering if netfilter can do the following.....
>
> http connection comes in on 10.10.10.10 port 80, can iptables then redirect
> this to go to 192.168.1.1 port 12345 & also allow the returning data to go
> back the opposite way ???
>
> We are currently using "redir" to do it and are having some porblems with it
> due to an application we run.
>
> TIA
>
> Paul.
--
Sander Sneekes
sander@dmdsecure.com
--
Never argue with an idiot. They drag you down to their level, then beat
you with experience.
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Query.... redirecting traffic
2002-12-13 9:47 ` Sander Sneekes
@ 2002-12-13 9:57 ` Paul Gibson
0 siblings, 0 replies; 6+ messages in thread
From: Paul Gibson @ 2002-12-13 9:57 UTC (permalink / raw)
To: 'Netfilter'
Wow
Thanks very much for all the replies..... and examples too :)
Looks like I can get rid of the dodgy redir.
thanks again! :)
-----Original Message-----
From: Sander Sneekes [mailto:sander@dmdsecure.com]
Sent: Friday, 13 December 2002 8:47 PM
To: paul.gibson@subspace.net.au
Cc: Netfilter
Subject: Re: Query.... redirecting traffic
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.1 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 80 -d 10.10.10.10 -j DNAT
--to
192.168.1.1:12345
On Fri, 2002-12-13 at 10:02, Paul Gibson wrote:
> Hello,
>
> I am wondering if netfilter can do the following.....
>
> http connection comes in on 10.10.10.10 port 80, can iptables then
redirect
> this to go to 192.168.1.1 port 12345 & also allow the returning data to go
> back the opposite way ???
>
> We are currently using "redir" to do it and are having some porblems with
it
> due to an application we run.
>
> TIA
>
> Paul.
--
Sander Sneekes
sander@dmdsecure.com
--
Never argue with an idiot. They drag you down to their level, then beat
you with experience.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ?
2002-12-13 0:34 Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ? Ranjeet Shetye
2002-12-13 9:02 ` Query.... redirecting traffic Paul Gibson
@ 2002-12-13 12:02 ` Andrea Rossato
2002-12-13 17:45 ` Ranjeet Shetye
1 sibling, 1 reply; 6+ messages in thread
From: Andrea Rossato @ 2002-12-13 12:02 UTC (permalink / raw)
To: netfilter
Ranjeet Shetye wrote:
> The reason for wanting a 1:1 rule is for X windows and other fat port
> ranges. Dont want hundreds of rules in there if one can do the job. Can
> IPTables do it ? If so how ? If not, I guess I'll have to get in touch
> with the developers for tips on a good starting point.
I believe that the only way is to hack nat code.
I will start looking in
net/ipv4/netfilter/ip_nat_core.c
and the function manip_pkt that, as far as I understand, is actually
writing the NATed packet
andrea
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ?
2002-12-13 12:02 ` Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ? Andrea Rossato
@ 2002-12-13 17:45 ` Ranjeet Shetye
0 siblings, 0 replies; 6+ messages in thread
From: Ranjeet Shetye @ 2002-12-13 17:45 UTC (permalink / raw)
To: netfilter
Hi Andrea,
I was hoping that the answer would be "Yes, IPTables can do it", but I
think you are right. As a matter of fact, I have been looking into the
NetFilter code for the last couple of days and I was hoping that I
didn't need to hack the kernel code (cos its not documented). But it
looks like I will have to.
Anyways, I will take my query to the developer-mailing list and post a
reply here once everything is sorted out. In the meantime if anyone has
an architectural overview of Netfilter, one that maps out the
interactions between the various components and layers, I'd really
really like to get my hands on it!
Thanks for your help, Andrea.
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
771 Vaqueros Avenue
Sunnyvale CA 94085
USA
Ranjeet.Shetye@Zultys.com
http://www.zultys.com/
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of
> Andrea Rossato
> Sent: Friday, December 13, 2002 4:03 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: Does IPTables have a 1:1 port-forwarding
> capability for a DNAT port-range ?
>
>
> Ranjeet Shetye wrote:
> > The reason for wanting a 1:1 rule is for X windows and
> other fat port
> > ranges. Dont want hundreds of rules in there if one can do the job.
> > Can IPTables do it ? If so how ? If not, I guess I'll have
> to get in
> > touch with the developers for tips on a good starting point.
>
> I believe that the only way is to hack nat code.
> I will start looking in
> net/ipv4/netfilter/ip_nat_core.c
> and the function manip_pkt that, as far as I understand, is
> actually writing the NATed packet andrea
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2002-12-13 17:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-13 0:34 Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ? Ranjeet Shetye
2002-12-13 9:02 ` Query.... redirecting traffic Paul Gibson
2002-12-13 9:47 ` Sander Sneekes
2002-12-13 9:57 ` Paul Gibson
2002-12-13 12:02 ` Does IPTables have a 1:1 port-forwarding capability for a DNAT port-range ? Andrea Rossato
2002-12-13 17:45 ` Ranjeet Shetye
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.