One to One port range forwarding to different port range

One to One port range forwarding to different port range

[Doug Applegate]

Hello,

After testing and looking at the kernel source, I realize that this mapping:

iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT 
--to [local_ip]:10000-2000

Doesn't do a one-to-one port mapping
e.g.:
100.0.0.1:30000 > 192.168.0.5:10000
100.0.0.1.30001 > 192.168.0.5:10001
100.0.0.1.30002 > 192.168.0.5:10002

I was wondering if it was possible to do the 1:1 port range forwarding 
to different port ranges or if you have to use individual rules.

Thanks

Doug

Re: One to One port range forwarding to different port range

[Akshat Kakkar]

Firstly assuming that 2000 is a typo. It should be 20000.

This will probably do a one-to-one port mapping but that mapping will
be dynamic, depending on which port comes first.
so it could be
100.0.0.1:30003 > 192.168.0.5 : 10000
100.0.0.1:30001 > 192.168.0.5 : 10001
100.0.0.1:33567 > 192.168.0.5 : 10002

Just depending on what order the traffic comes and what is the next
free port (Probably?)!

-Akshat

On Wed, Aug 5, 2015 at 10:19 PM, Doug Applegate
<dapplegate@cradlepoint.com> wrote:
> Hello,
>
> After testing and looking at the kernel source, I realize that this mapping:
>
> iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT --to
> [local_ip]:10000-2000
>
> Doesn't do a one-to-one port mapping
> e.g.:
> 100.0.0.1:30000 > 192.168.0.5:10000
> 100.0.0.1.30001 > 192.168.0.5:10001
> 100.0.0.1.30002 > 192.168.0.5:10002
>
> I was wondering if it was possible to do the 1:1 port range forwarding to
> different port ranges or if you have to use individual rules.
>
> Thanks
>
> Doug
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: One to One port range forwarding to different port range

[Doug Applegate]

Akshat,

Thanks for clarifying the behaviour. I'm assuming then, that the only 
way to get 1:1 port mappings with different end point ports is to create 
a separate rule for each port?

Doug

On 08/06/2015 01:26 AM, Akshat Kakkar wrote:
>
> Firstly assuming that 2000 is a typo. It should be 20000.
>
> This will probably do a one-to-one port mapping but that mapping will
> be dynamic, depending on which port comes first.
> so it could be
> 100.0.0.1:30003 > 192.168.0.5 : 10000
> 100.0.0.1:30001 > 192.168.0.5 : 10001
> 100.0.0.1:33567 > 192.168.0.5 : 10002
>
> Just depending on what order the traffic comes and what is the next
> free port (Probably?)!
>
> -Akshat
>
> On Wed, Aug 5, 2015 at 10:19 PM, Doug Applegate
> <dapplegate@cradlepoint.com> wrote:
>> Hello,
>>
>> After testing and looking at the kernel source, I realize that this mapping:
>>
>> iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT --to
>> [local_ip]:10000-2000
>>
>> Doesn't do a one-to-one port mapping
>> e.g.:
>> 100.0.0.1:30000 > 192.168.0.5:10000
>> 100.0.0.1.30001 > 192.168.0.5:10001
>> 100.0.0.1.30002 > 192.168.0.5:10002
>>
>> I was wondering if it was possible to do the 1:1 port range forwarding to
>> different port ranges or if you have to use individual rules.
>>
>> Thanks
>>
>> Doug
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> !SIG:55c30c7a225911004013073!
>

-- 
Doug Applegate | Firmware Engineer | Cradlepoint

Re: One to One port range forwarding to different port range

[John Miller]

When I saw this thread yesterday, I tried to pull this off using the
NETMAP target--obviously no dice.  To netfilter devs: could the NETMAP
target be extended to work with port numbers as well as IP addresses?

John
-- 
John Miller
Systems Engineer
Brandeis University
johnmill@brandeis.edu


On Thu, Aug 6, 2015 at 11:29 AM, Doug Applegate
<dapplegate@cradlepoint.com> wrote:
> Akshat,
>
> Thanks for clarifying the behaviour. I'm assuming then, that the only way to
> get 1:1 port mappings with different end point ports is to create a separate
> rule for each port?
>
> Doug
>
> On 08/06/2015 01:26 AM, Akshat Kakkar wrote:
>>
>>
>> Firstly assuming that 2000 is a typo. It should be 20000.
>>
>> This will probably do a one-to-one port mapping but that mapping will
>> be dynamic, depending on which port comes first.
>> so it could be
>> 100.0.0.1:30003 > 192.168.0.5 : 10000
>> 100.0.0.1:30001 > 192.168.0.5 : 10001
>> 100.0.0.1:33567 > 192.168.0.5 : 10002
>>
>> Just depending on what order the traffic comes and what is the next
>> free port (Probably?)!
>>
>> -Akshat
>>
>> On Wed, Aug 5, 2015 at 10:19 PM, Doug Applegate
>> <dapplegate@cradlepoint.com> wrote:
>>>
>>> Hello,
>>>
>>> After testing and looking at the kernel source, I realize that this
>>> mapping:
>>>
>>> iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT
>>> --to
>>> [local_ip]:10000-2000
>>>
>>> Doesn't do a one-to-one port mapping
>>> e.g.:
>>> 100.0.0.1:30000 > 192.168.0.5:10000
>>> 100.0.0.1.30001 > 192.168.0.5:10001
>>> 100.0.0.1.30002 > 192.168.0.5:10002
>>>
>>> I was wondering if it was possible to do the 1:1 port range forwarding to
>>> different port ranges or if you have to use individual rules.
>>>