Re: Default server DNAT port remapping problem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mart Frauenlob <mart.frauenlob@chello.at>
Cc: He Jiafu-MPNB73 <JHe@Motorola.com>, netfilter@vger.kernel.org
Subject: Re: Default server DNAT port remapping problem
Date: Tue, 09 Feb 2010 22:04:41 +0100	[thread overview]
Message-ID: <4B71CDE9.6020004@chello.at> (raw)
In-Reply-To: <83EB8CF7119A7C47A6425E352065A72B071F83D6@ct11exm64.ds.mot.com>

On 09.02.2010 20:33, He Jiafu-MPNB73 wrote:
> Hi, guys,
> 
> I've got a problem creating default servers using consecutive DNAT port
> range mapping.
> 
> Suppose I have a router with a wan (say, 1.2.3.4) and LAN (192.168.1.1)
> and another internal server (192.168.1.100). I want to setup a couple of
> default servers to forward the wan access to ports 80-90 towards the
> internal server ports 8080-8090. I want the port mapping to be 1:1,
> i.e., 80 -> 8080, 81 -> 8081, ..., 90 -> 8090.
> 
> I tried the following rules:
>     # iptables -A PREROUTING -t nat -p udp -d 1.2.3.4 --dport 80:90 -j
> DNAT --to 192.168.1.100:8080-8090
>     # iptables -A FORWARD -p udp -d 192.168.1.100 --dport 8080:8090 -j
> ACCEPT
> 
> However, the results are pretty inconsistent. In some cases, I got
> shifted mapping like
>     83 -> 8080, 84 -> 8081, ...
> And even out-of-range mapping like
>     80 -> 8091, 81 -> 8092, ...
> 
> Has anyone ever seen this before? Is this working as designed or a bug
> in the NAT code?
> 
> Any suggestion?

Your rules say:

a packet coming to any of the ports 80 to 90, DNAT to any of the ports
8080 to 8090.
There is the --persistent option for the DNAT target, but that is also
not what you want.
You need a single rule for each port. 80->8080 81->8081, etc.

If you recognize out of range mappings (should not be), you should
provide system details like:

kernel version
iptables version
logs (LOG and/or TRACE target)
tcpdumps


Btw, what is a default server?


Best regards

Mart

next prev parent reply	other threads:[~2010-02-09 21:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-02-09 19:33 Default server DNAT port remapping problem He Jiafu-MPNB73
2010-02-09 21:04 ` Mart Frauenlob [this message]
2010-02-09 22:28   ` He Jiafu-MPNB73
2010-02-10 18:05     ` Mart Frauenlob
2010-02-10 22:37       ` He Jiafu-MPNB73

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B71CDE9.6020004@chello.at \
    --to=mart.frauenlob@chello.at \
    --cc=JHe@Motorola.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.