The semantics of:
iptables -t nat --append PREROUTING -p udp --dport nn:mm -j DNAT \ --to-destination a.b.c.d:pp-qq
I find somewhat surprising. It appears to be an efficient way to forward a range of ports. But it doesn't work that way. To forward a range of ports it seems to that one needs to do:
s=nn d=pp while [ $d -ge $s ] do iptables -t nat --append PREROUTING -p udp --dport $s -j DNAT \ --to-destination a.b.c.d:$d s=$(expr $s + 1) d=$(expr $d + 1) done
This certainly isn't efficient, and can be rather slow. Presumably it can cause large tables to be built in the kernel.
Is there a better way to do it? Has anyone built a module to do 1-to-1 NAT of a port range? Are the current semantics of a range to range DNAT useful? If not, how hard would it be to change?
Thanks
--- Charlie