From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: Default server DNAT port remapping problem
Date: Wed, 10 Feb 2010 19:05:25 +0100 [thread overview]
Message-ID: <4B72F565.202@chello.at> (raw)
In-Reply-To: <83EB8CF7119A7C47A6425E352065A72B071F8474@ct11exm64.ds.mot.com>
On 09.02.2010 23:28, He Jiafu-MPNB73 wrote:
> On 09.02.2010, Mart wrote:
>
> kernel version: 2.6.25.20
> iptables version: v1.4.0
>
> I used "nmap -r -sU -p80-90 1.2.3.4" to scan the ports, at the 2nd
> round, the logs showed the port shifting out-of-range. See the following
> logs for an example. In the logs, 192.168.1.254 is the wan ip and while
> 192.168.1.220 is the lan, and the following iptables rules are used:
> # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
> 12340:12345 -jNFLOG
> # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
> 12340:12345 -j DNAT --to 192.168.1.220:12350-12355
> # iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340
> -jNFLOG
> # iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340 -j
> ACCEPT
>
>>>> nmap: 2nd round
> 2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT=
> MAC=00:00:00:00:00:
> 00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
> TOS=0x00 P
> REC=0x00 TTL=45 ID=15316 PROTO=UDP SPT=51921 DPT=12341 LEN=8
> 2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0
> MAC=00:00:00:00:00
> :00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
> TOS=0x00
> PREC=0x00 TTL=44 ID=15316 PROTO=UDP SPT=51921 DPT=12356 LEN=8 <<<
> out-of-range
well, not as it should be...
> I did a quick look at net/ipv4/netfilter/nf_nat_proto_udp.c, and changed
> the line 44 in function "udp_unique_tuple()":
> - static u_int16_t port;
> + u_int16_t port;
> and the out-of-range problem goes away. Not sure what else this change
> might break. Similar changes must also be done for tcp.
>
did you try a newer kernel 2.6.32.x?
Best regards
Mart
next prev parent reply other threads:[~2010-02-10 18:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-09 19:33 Default server DNAT port remapping problem He Jiafu-MPNB73
2010-02-09 21:04 ` Mart Frauenlob
2010-02-09 22:28 ` He Jiafu-MPNB73
2010-02-10 18:05 ` Mart Frauenlob [this message]
2010-02-10 22:37 ` He Jiafu-MPNB73
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B72F565.202@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox