* Default server DNAT port remapping problem
@ 2010-02-09 19:33 He Jiafu-MPNB73
2010-02-09 21:04 ` Mart Frauenlob
0 siblings, 1 reply; 5+ messages in thread
From: He Jiafu-MPNB73 @ 2010-02-09 19:33 UTC (permalink / raw)
To: netfilter
Hi, guys,
I've got a problem creating default servers using consecutive DNAT port
range mapping.
Suppose I have a router with a wan (say, 1.2.3.4) and LAN (192.168.1.1)
and another internal server (192.168.1.100). I want to setup a couple of
default servers to forward the wan access to ports 80-90 towards the
internal server ports 8080-8090. I want the port mapping to be 1:1,
i.e., 80 -> 8080, 81 -> 8081, ..., 90 -> 8090.
I tried the following rules:
# iptables -A PREROUTING -t nat -p udp -d 1.2.3.4 --dport 80:90 -j
DNAT --to 192.168.1.100:8080-8090
# iptables -A FORWARD -p udp -d 192.168.1.100 --dport 8080:8090 -j
ACCEPT
However, the results are pretty inconsistent. In some cases, I got
shifted mapping like
83 -> 8080, 84 -> 8081, ...
And even out-of-range mapping like
80 -> 8091, 81 -> 8092, ...
Has anyone ever seen this before? Is this working as designed or a bug
in the NAT code?
Any suggestion?
Thanks in advance!
J.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Default server DNAT port remapping problem
2010-02-09 19:33 Default server DNAT port remapping problem He Jiafu-MPNB73
@ 2010-02-09 21:04 ` Mart Frauenlob
2010-02-09 22:28 ` He Jiafu-MPNB73
0 siblings, 1 reply; 5+ messages in thread
From: Mart Frauenlob @ 2010-02-09 21:04 UTC (permalink / raw)
Cc: He Jiafu-MPNB73, netfilter
On 09.02.2010 20:33, He Jiafu-MPNB73 wrote:
> Hi, guys,
>
> I've got a problem creating default servers using consecutive DNAT port
> range mapping.
>
> Suppose I have a router with a wan (say, 1.2.3.4) and LAN (192.168.1.1)
> and another internal server (192.168.1.100). I want to setup a couple of
> default servers to forward the wan access to ports 80-90 towards the
> internal server ports 8080-8090. I want the port mapping to be 1:1,
> i.e., 80 -> 8080, 81 -> 8081, ..., 90 -> 8090.
>
> I tried the following rules:
> # iptables -A PREROUTING -t nat -p udp -d 1.2.3.4 --dport 80:90 -j
> DNAT --to 192.168.1.100:8080-8090
> # iptables -A FORWARD -p udp -d 192.168.1.100 --dport 8080:8090 -j
> ACCEPT
>
> However, the results are pretty inconsistent. In some cases, I got
> shifted mapping like
> 83 -> 8080, 84 -> 8081, ...
> And even out-of-range mapping like
> 80 -> 8091, 81 -> 8092, ...
>
> Has anyone ever seen this before? Is this working as designed or a bug
> in the NAT code?
>
> Any suggestion?
Your rules say:
a packet coming to any of the ports 80 to 90, DNAT to any of the ports
8080 to 8090.
There is the --persistent option for the DNAT target, but that is also
not what you want.
You need a single rule for each port. 80->8080 81->8081, etc.
If you recognize out of range mappings (should not be), you should
provide system details like:
kernel version
iptables version
logs (LOG and/or TRACE target)
tcpdumps
Btw, what is a default server?
Best regards
Mart
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Default server DNAT port remapping problem
2010-02-09 21:04 ` Mart Frauenlob
@ 2010-02-09 22:28 ` He Jiafu-MPNB73
2010-02-10 18:05 ` Mart Frauenlob
0 siblings, 1 reply; 5+ messages in thread
From: He Jiafu-MPNB73 @ 2010-02-09 22:28 UTC (permalink / raw)
To: netfilter; +Cc: Mart Frauenlob
On 09.02.2010, Mart wrote:
> Your rules say:
>
> a packet coming to any of the ports 80 to 90, DNAT to any of
> the ports 8080 to 8090.
> There is the --persistent option for the DNAT target, but
> that is also not what you want.
No, --persistent doesn't work for my purpose here.
> You need a single rule for each port. 80->8080 81->8081, etc.
That is a dirty work-around we can have for now. However, as the range
grows, the rule list gets very long.
>
> If you recognize out of range mappings (should not be), you
> should provide system details like:
>
> kernel version
> iptables version
> logs (LOG and/or TRACE target)
> tcpdumps
>
kernel version: 2.6.25.20
iptables version: v1.4.0
I used "nmap -r -sU -p80-90 1.2.3.4" to scan the ports, at the 2nd
round, the logs showed the port shifting out-of-range. See the following
logs for an example. In the logs, 192.168.1.254 is the wan ip and while
192.168.1.220 is the lan, and the following iptables rules are used:
# iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
12340:12345 -jNFLOG
# iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
12340:12345 -j DNAT --to 192.168.1.220:12350-12355
# iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340
-jNFLOG
# iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340 -j
ACCEPT
------------- LOGS --------------------
>>> nmap: 1st round
2010-02-09T21:53:58Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=38 ID=23595 PROTO=UDP SPT=51920 DPT=12343 LEN=8
2010-02-09T21:53:58Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=37 ID=23595 PROTO=UDP SPT=51920 DPT=12350 LEN=8
2010-02-09T21:53:58Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=57 ID=64686 PROTO=UDP SPT=51920 DPT=12344 LEN=8
2010-02-09T21:53:58Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=56 ID=64686 PROTO=UDP SPT=51920 DPT=12351 LEN=8
2010-02-09T21:53:58Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=55 ID=15770 PROTO=UDP SPT=51920 DPT=12345 LEN=8
2010-02-09T21:53:58Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=54 ID=15770 PROTO=UDP SPT=51920 DPT=12352 LEN=8
2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=56 ID=29109 PROTO=UDP SPT=51921 DPT=12345 LEN=8
2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=55 ID=29109 PROTO=UDP SPT=51921 DPT=12352 LEN=8
2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=41 ID=18198 PROTO=UDP SPT=51921 DPT=12344 LEN=8
2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=40 ID=18198 PROTO=UDP SPT=51921 DPT=12353 LEN=8
2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=42 ID=37539 PROTO=UDP SPT=51921 DPT=12343 LEN=8
2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=41 ID=37539 PROTO=UDP SPT=51921 DPT=12354 LEN=8
2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=50 ID=17666 PROTO=UDP SPT=51921 DPT=12342 LEN=8
2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=49 ID=17666 PROTO=UDP SPT=51921 DPT=12355 LEN=8
>>> nmap: 2nd round
2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=45 ID=15316 PROTO=UDP SPT=51921 DPT=12341 LEN=8
2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=44 ID=15316 PROTO=UDP SPT=51921 DPT=12356 LEN=8 <<<
out-of-range
2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=40 ID=62201 PROTO=UDP SPT=51921 DPT=12340 LEN=8
2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=39 ID=62201 PROTO=UDP SPT=51921 DPT=12357 LEN=8
2010-02-09T21:54:04Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=44 ID=51642 PROTO=UDP SPT=60234 DPT=12340 LEN=8
2010-02-09T21:54:04Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=43 ID=51642 PROTO=UDP SPT=60234 DPT=12357 LEN=8
2010-02-09T21:54:04Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=40 ID=38513 PROTO=UDP SPT=60234 DPT=12341 LEN=8
2010-02-09T21:54:04Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=39 ID=38513 PROTO=UDP SPT=60234 DPT=12358 LEN=8
2010-02-09T21:54:04Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=54 ID=46541 PROTO=UDP SPT=60234 DPT=12342 LEN=8
2010-02-09T21:54:04Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=53 ID=46541 PROTO=UDP SPT=60234 DPT=12359 LEN=8
2010-02-09T21:54:04Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=38 ID=53546 PROTO=UDP SPT=60234 DPT=12343 LEN=8
2010-02-09T21:54:04Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=37 ID=53546 PROTO=UDP SPT=60234 DPT=12360 LEN=8
2010-02-09T21:54:04Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=37 ID=46568 PROTO=UDP SPT=60234 DPT=12344 LEN=8
2010-02-09T21:54:04Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=36 ID=46568 PROTO=UDP SPT=60234 DPT=12361 LEN=8
2010-02-09T21:54:04Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=42 ID=37904 PROTO=UDP SPT=60234 DPT=12345 LEN=8
2010-02-09T21:54:04Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=41 ID=37904 PROTO=UDP SPT=60234 DPT=12362 LEN=8
2010-02-09T21:54:05Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=53 ID=43785 PROTO=UDP SPT=60235 DPT=12345 LEN=8
2010-02-09T21:54:05Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=52 ID=43785 PROTO=UDP SPT=60235 DPT=12362 LEN=8
2010-02-09T21:54:05Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=53 ID=6305 PROTO=UDP SPT=60235 DPT=12344 LEN=8
2010-02-09T21:54:05Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=52 ID=6305 PROTO=UDP SPT=60235 DPT=12363 LEN=8
2010-02-09T21:54:05Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=55 ID=60572 PROTO=UDP SPT=60235 DPT=12343 LEN=8
2010-02-09T21:54:05Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=54 ID=60572 PROTO=UDP SPT=60235 DPT=12364 LEN=8
2010-02-09T21:54:05Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=43 ID=6114 PROTO=UDP SPT=60235 DPT=12342 LEN=8
2010-02-09T21:54:05Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=42 ID=6114 PROTO=UDP SPT=60235 DPT=12365 LEN=8
2010-02-09T21:54:05Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=49 ID=48857 PROTO=UDP SPT=60235 DPT=12341 LEN=8
2010-02-09T21:54:05Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=48 ID=48857 PROTO=UDP SPT=60235 DPT=12366 LEN=8
2010-02-09T21:54:05Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=59 ID=39061 PROTO=UDP SPT=60235 DPT=12340 LEN=8
2010-02-09T21:54:05Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=58 ID=39061 PROTO=UDP SPT=60235 DPT=12367 LEN=8
---------------------------------
I did a quick look at net/ipv4/netfilter/nf_nat_proto_udp.c, and changed
the line 44 in function "udp_unique_tuple()":
- static u_int16_t port;
+ u_int16_t port;
and the out-of-range problem goes away. Not sure what else this change
might break. Similar changes must also be done for tcp.
>
> Btw, what is a default server?
>
Oh, Geez, typo typo, I mean "virtual server" here. Sorry for that.
Thanks.
Jiafu
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Default server DNAT port remapping problem
2010-02-09 22:28 ` He Jiafu-MPNB73
@ 2010-02-10 18:05 ` Mart Frauenlob
2010-02-10 22:37 ` He Jiafu-MPNB73
0 siblings, 1 reply; 5+ messages in thread
From: Mart Frauenlob @ 2010-02-10 18:05 UTC (permalink / raw)
To: netfilter
On 09.02.2010 23:28, He Jiafu-MPNB73 wrote:
> On 09.02.2010, Mart wrote:
>
> kernel version: 2.6.25.20
> iptables version: v1.4.0
>
> I used "nmap -r -sU -p80-90 1.2.3.4" to scan the ports, at the 2nd
> round, the logs showed the port shifting out-of-range. See the following
> logs for an example. In the logs, 192.168.1.254 is the wan ip and while
> 192.168.1.220 is the lan, and the following iptables rules are used:
> # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
> 12340:12345 -jNFLOG
> # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
> 12340:12345 -j DNAT --to 192.168.1.220:12350-12355
> # iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340
> -jNFLOG
> # iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340 -j
> ACCEPT
>
>>>> nmap: 2nd round
> 2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
> MAC=00:00:00:00:00:
> 00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
> TOS=0x00 P
> REC=0x00 TTL=45 ID=15316 PROTO=UDP SPT=51921 DPT=12341 LEN=8
> 2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
> MAC=00:00:00:00:00
> :00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
> TOS=0x00
> PREC=0x00 TTL=44 ID=15316 PROTO=UDP SPT=51921 DPT=12356 LEN=8 <<<
> out-of-range
well, not as it should be...
> I did a quick look at net/ipv4/netfilter/nf_nat_proto_udp.c, and changed
> the line 44 in function "udp_unique_tuple()":
> - static u_int16_t port;
> + u_int16_t port;
> and the out-of-range problem goes away. Not sure what else this change
> might break. Similar changes must also be done for tcp.
>
did you try a newer kernel 2.6.32.x?
Best regards
Mart
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Default server DNAT port remapping problem
2010-02-10 18:05 ` Mart Frauenlob
@ 2010-02-10 22:37 ` He Jiafu-MPNB73
0 siblings, 0 replies; 5+ messages in thread
From: He Jiafu-MPNB73 @ 2010-02-10 22:37 UTC (permalink / raw)
To: netfilter; +Cc: Mart Frauenlob
> On 10.02.2010, Mart wrote:
>
> >
> > kernel version: 2.6.25.20
> > iptables version: v1.4.0
> >
> > I used "nmap -r -sU -p80-90 1.2.3.4" to scan the ports, at the 2nd
> > round, the logs showed the port shifting out-of-range. See the
> > following logs for an example. In the logs, 192.168.1.254
> is the wan
> > ip and while 192.168.1.220 is the lan, and the following
> iptables rules are used:
> > # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
> > 12340:12345 -jNFLOG
> > # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
> > 12340:12345 -j DNAT --to 192.168.1.220:12350-12355
> > # iptables -A FORWARD -p udp -d 192.168.1.220 --dport
> 12340:13340
> > -jNFLOG
> > # iptables -A FORWARD -p udp -d 192.168.1.220 --dport
> 12340:13340
> > -j ACCEPT
> >
>
> >>>> nmap: 2nd round
> > 2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
> > MAC=00:00:00:00:00:
> > 00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220
> DST=192.168.1.254 LEN=28
> > TOS=0x00 P REC=0x00 TTL=45 ID=15316 PROTO=UDP SPT=51921 DPT=12341
> > LEN=8 2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
> > MAC=00:00:00:00:00 :00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220
> > DST=192.168.1.220 LEN=28 TOS=0x00
> > PREC=0x00 TTL=44 ID=15316 PROTO=UDP SPT=51921 DPT=12356 LEN=8 <<<
> > out-of-range
>
> well, not as it should be...
>
> > I did a quick look at net/ipv4/netfilter/nf_nat_proto_udp.c, and
> > changed the line 44 in function "udp_unique_tuple()":
> > - static u_int16_t port;
> > + u_int16_t port;
> > and the out-of-range problem goes away. Not sure what else
> this change
> > might break. Similar changes must also be done for tcp.
> >
>
> did you try a newer kernel 2.6.32.x?
No, not yet. But I had a quick look at the 2.6.31.6 code and saw the
"static" gone and the codebase has been changed significantly.
Thanks for your help so far.
Best regards,
Jiafu
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-02-10 22:37 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-09 19:33 Default server DNAT port remapping problem He Jiafu-MPNB73
2010-02-09 21:04 ` Mart Frauenlob
2010-02-09 22:28 ` He Jiafu-MPNB73
2010-02-10 18:05 ` Mart Frauenlob
2010-02-10 22:37 ` He Jiafu-MPNB73
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox