From: Mart Frauenlob <mart.frauenlob@chello.at>
Cc: He Jiafu-MPNB73 <JHe@Motorola.com>, netfilter@vger.kernel.org
Subject: Re: Default server DNAT port remapping problem
Date: Tue, 09 Feb 2010 22:04:41 +0100 [thread overview]
Message-ID: <4B71CDE9.6020004@chello.at> (raw)
In-Reply-To: <83EB8CF7119A7C47A6425E352065A72B071F83D6@ct11exm64.ds.mot.com>
On 09.02.2010 20:33, He Jiafu-MPNB73 wrote:
> Hi, guys,
>
> I've got a problem creating default servers using consecutive DNAT port
> range mapping.
>
> Suppose I have a router with a wan (say, 1.2.3.4) and LAN (192.168.1.1)
> and another internal server (192.168.1.100). I want to setup a couple of
> default servers to forward the wan access to ports 80-90 towards the
> internal server ports 8080-8090. I want the port mapping to be 1:1,
> i.e., 80 -> 8080, 81 -> 8081, ..., 90 -> 8090.
>
> I tried the following rules:
> # iptables -A PREROUTING -t nat -p udp -d 1.2.3.4 --dport 80:90 -j
> DNAT --to 192.168.1.100:8080-8090
> # iptables -A FORWARD -p udp -d 192.168.1.100 --dport 8080:8090 -j
> ACCEPT
>
> However, the results are pretty inconsistent. In some cases, I got
> shifted mapping like
> 83 -> 8080, 84 -> 8081, ...
> And even out-of-range mapping like
> 80 -> 8091, 81 -> 8092, ...
>
> Has anyone ever seen this before? Is this working as designed or a bug
> in the NAT code?
>
> Any suggestion?
Your rules say:
a packet coming to any of the ports 80 to 90, DNAT to any of the ports
8080 to 8090.
There is the --persistent option for the DNAT target, but that is also
not what you want.
You need a single rule for each port. 80->8080 81->8081, etc.
If you recognize out of range mappings (should not be), you should
provide system details like:
kernel version
iptables version
logs (LOG and/or TRACE target)
tcpdumps
Btw, what is a default server?
Best regards
Mart
next prev parent reply other threads:[~2010-02-09 21:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-09 19:33 Default server DNAT port remapping problem He Jiafu-MPNB73
2010-02-09 21:04 ` Mart Frauenlob [this message]
2010-02-09 22:28 ` He Jiafu-MPNB73
2010-02-10 18:05 ` Mart Frauenlob
2010-02-10 22:37 ` He Jiafu-MPNB73
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B71CDE9.6020004@chello.at \
--to=mart.frauenlob@chello.at \
--cc=JHe@Motorola.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox