RE: Default server DNAT port remapping problem

"He Jiafu-MPNB73" <JHe@xxxxxxxxxxxx> · Tue, 9 Feb 2010 17:28:09 -0500

On 09.02.2010, Mart wrote: 
> Your rules say:
> 
> a packet coming to any of the ports 80 to 90, DNAT to any of 
> the ports 8080 to 8090.
> There is the --persistent option for the DNAT target, but 
> that is also not what you want.

No, --persistent doesn't work for my purpose here.

> You need a single rule for each port. 80->8080 81->8081, etc.

That is a dirty work-around we can have for now. However, as the range
grows, the rule list gets very long.

> 
> If you recognize out of range mappings (should not be), you 
> should provide system details like:
> 
> kernel version
> iptables version
> logs (LOG and/or TRACE target)
> tcpdumps
> 

kernel version: 2.6.25.20
iptables version: v1.4.0

I used "nmap -r -sU -p80-90 1.2.3.4" to scan the ports, at the 2nd
round, the logs showed the port shifting out-of-range. See the following
logs for an example. In the logs, 192.168.1.254 is the wan ip and while
192.168.1.220 is the lan, and the following iptables rules are used:
    # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
12340:12345 -jNFLOG
    # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport
12340:12345 -j DNAT --to 192.168.1.220:12350-12355
    # iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340
-jNFLOG
    # iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340 -j
ACCEPT

------------- LOGS --------------------
>>> nmap: 1st round
2010-02-09T21:53:58Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=38 ID=23595 PROTO=UDP SPT=51920 DPT=12343 LEN=8
2010-02-09T21:53:58Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=37 ID=23595 PROTO=UDP SPT=51920 DPT=12350 LEN=8
2010-02-09T21:53:58Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=57 ID=64686 PROTO=UDP SPT=51920 DPT=12344 LEN=8
2010-02-09T21:53:58Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=56 ID=64686 PROTO=UDP SPT=51920 DPT=12351 LEN=8
2010-02-09T21:53:58Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=55 ID=15770 PROTO=UDP SPT=51920 DPT=12345 LEN=8
2010-02-09T21:53:58Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=54 ID=15770 PROTO=UDP SPT=51920 DPT=12352 LEN=8
2010-02-09T21:53:59Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=56 ID=29109 PROTO=UDP SPT=51921 DPT=12345 LEN=8
2010-02-09T21:53:59Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=55 ID=29109 PROTO=UDP SPT=51921 DPT=12352 LEN=8
2010-02-09T21:53:59Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=41 ID=18198 PROTO=UDP SPT=51921 DPT=12344 LEN=8
2010-02-09T21:53:59Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=40 ID=18198 PROTO=UDP SPT=51921 DPT=12353 LEN=8
2010-02-09T21:53:59Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=42 ID=37539 PROTO=UDP SPT=51921 DPT=12343 LEN=8
2010-02-09T21:53:59Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=41 ID=37539 PROTO=UDP SPT=51921 DPT=12354 LEN=8
2010-02-09T21:53:59Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=50 ID=17666 PROTO=UDP SPT=51921 DPT=12342 LEN=8
2010-02-09T21:53:59Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=49 ID=17666 PROTO=UDP SPT=51921 DPT=12355 LEN=8

>>> nmap: 2nd round
2010-02-09T21:53:59Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=45 ID=15316 PROTO=UDP SPT=51921 DPT=12341 LEN=8
2010-02-09T21:53:59Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=44 ID=15316 PROTO=UDP SPT=51921 DPT=12356 LEN=8   <<<
out-of-range
2010-02-09T21:53:59Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=40 ID=62201 PROTO=UDP SPT=51921 DPT=12340 LEN=8
2010-02-09T21:53:59Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=39 ID=62201 PROTO=UDP SPT=51921 DPT=12357 LEN=8
2010-02-09T21:54:04Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=44 ID=51642 PROTO=UDP SPT=60234 DPT=12340 LEN=8
2010-02-09T21:54:04Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=43 ID=51642 PROTO=UDP SPT=60234 DPT=12357 LEN=8
2010-02-09T21:54:04Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=40 ID=38513 PROTO=UDP SPT=60234 DPT=12341 LEN=8
2010-02-09T21:54:04Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=39 ID=38513 PROTO=UDP SPT=60234 DPT=12358 LEN=8
2010-02-09T21:54:04Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=54 ID=46541 PROTO=UDP SPT=60234 DPT=12342 LEN=8
2010-02-09T21:54:04Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=53 ID=46541 PROTO=UDP SPT=60234 DPT=12359 LEN=8
2010-02-09T21:54:04Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=38 ID=53546 PROTO=UDP SPT=60234 DPT=12343 LEN=8
2010-02-09T21:54:04Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=37 ID=53546 PROTO=UDP SPT=60234 DPT=12360 LEN=8
2010-02-09T21:54:04Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=37 ID=46568 PROTO=UDP SPT=60234 DPT=12344 LEN=8
2010-02-09T21:54:04Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=36 ID=46568 PROTO=UDP SPT=60234 DPT=12361 LEN=8
2010-02-09T21:54:04Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=42 ID=37904 PROTO=UDP SPT=60234 DPT=12345 LEN=8
2010-02-09T21:54:04Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=41 ID=37904 PROTO=UDP SPT=60234 DPT=12362 LEN=8
2010-02-09T21:54:05Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=53 ID=43785 PROTO=UDP SPT=60235 DPT=12345 LEN=8
2010-02-09T21:54:05Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=52 ID=43785 PROTO=UDP SPT=60235 DPT=12362 LEN=8
2010-02-09T21:54:05Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=53 ID=6305 PROTO=UDP SPT=60235 DPT=12344 LEN=8
2010-02-09T21:54:05Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=52 ID=6305 PROTO=UDP SPT=60235 DPT=12363 LEN=8
2010-02-09T21:54:05Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=55 ID=60572 PROTO=UDP SPT=60235 DPT=12343 LEN=8
2010-02-09T21:54:05Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=54 ID=60572 PROTO=UDP SPT=60235 DPT=12364 LEN=8
2010-02-09T21:54:05Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=43 ID=6114 PROTO=UDP SPT=60235 DPT=12342 LEN=8
2010-02-09T21:54:05Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=42 ID=6114 PROTO=UDP SPT=60235 DPT=12365 LEN=8
2010-02-09T21:54:05Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=49 ID=48857 PROTO=UDP SPT=60235 DPT=12341 LEN=8
2010-02-09T21:54:05Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=48 ID=48857 PROTO=UDP SPT=60235 DPT=12366 LEN=8
2010-02-09T21:54:05Z L4  hook=PREROUTING mark=0 IN=eth0 OUT=
MAC=00:00:00:00:00:
00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28
TOS=0x00 P
REC=0x00 TTL=59 ID=39061 PROTO=UDP SPT=60235 DPT=12340 LEN=8
2010-02-09T21:54:05Z L4  hook=FORWARD mark=0 IN=eth0 OUT=eth0
MAC=00:00:00:00:00
:00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28
TOS=0x00
PREC=0x00 TTL=58 ID=39061 PROTO=UDP SPT=60235 DPT=12367 LEN=8
---------------------------------

I did a quick look at net/ipv4/netfilter/nf_nat_proto_udp.c, and changed
the line 44 in function "udp_unique_tuple()":
    - static u_int16_t port;
    + u_int16_t port;
and the out-of-range problem goes away. Not sure what else this change
might break. Similar changes must also be done for tcp.

> 
> Btw, what is a default server?
> 

Oh, Geez, typo typo, I mean "virtual server" here. Sorry for that.

Thanks.

Jiafu
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html