Re: question about port forwarding using dnat

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: Hamed Afshar <hamed_afshar@yahoo.com>
Cc: netfilter@vger.kernel.org
Subject: Re: question about port forwarding using dnat
Date: Thu, 07 Mar 2013 21:56:16 +0100	[thread overview]
Message-ID: <5138FEF0.8070608@plouf.fr.eu.org> (raw)
In-Reply-To: <1362661333.71899.YahooMailClassic@web142706.mail.bf1.yahoo.com>

Hello,

Hamed Afshar a écrit :
> Hi,
> I need to manipulate all output requests for an IP range and change the destination port.
> For a specific IP, the following rule works for me:
> 
> iptables -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 22 -j DNAT --to-destination 1.2.3.4:555
> 
> which is changing the destination port to 555 on all outgoing requests for port 22 for IP 1.2.3.4.
> But I need to apply this to an IP range.
> something like this:
> 
> iptables -t nat -A OUTPUT -p tcp -d 1.2.3.0/24 --dport 22 -j DNAT --to-destination 1.2.3.0/24:555
> 
> to do the following:
> 1.2.3.1:22 => 1.2.3.1:555
> 1.2.3.2:22 => 1.2.3.2:555
> 1.2.3.3:22 => 1.2.3.3:555
> etc
> 
> iptables accepts IP range with "-d" switch. but as for "--to-destination", it doesn't accept IP range.

Yes it does. The DNAT section in the iptables man page states :

 --to-destination [ipaddr][-ipaddr][:port[-port]]
        which can specify a single new destination IP address, an inclu-
        sive range of IP addresses, and optionally, a port range  (which
        is  only valid if the rule also specifies -p tcp or -p udp).

But address range do not act as a 1:1 mapping, rather as a round-robin
or random mapping.

> Does anyone have any idea how should I do this?

The man page gives the answer in the following lines :

        If
        no port range is specified, then the destination port will never
        be  modified. If no IP address is specified then only the desti-
        nation port will be modified.

     prev parent reply	other threads:[~2013-03-07 20:56 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-07 13:02 question about port forwarding using dnat Hamed Afshar
2013-03-07 20:56 ` Pascal Hambourg [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5138FEF0.8070608@plouf.fr.eu.org \
    --to=pascal@plouf.fr.eu.org \
    --cc=hamed_afshar@yahoo.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.