On 09.02.2010 23:28, He Jiafu-MPNB73 wrote: > On 09.02.2010, Mart wrote: > > kernel version: 2.6.25.20 > iptables version: v1.4.0 > > I used "nmap -r -sU -p80-90 1.2.3.4" to scan the ports, at the 2nd > round, the logs showed the port shifting out-of-range. See the following > logs for an example. In the logs, 192.168.1.254 is the wan ip and while > 192.168.1.220 is the lan, and the following iptables rules are used: > # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport > 12340:12345 -jNFLOG > # iptables -A PREROUTING -t nat -p udp -d 192.168.1.254 --dport > 12340:12345 -j DNAT --to 192.168.1.220:12350-12355 > # iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340 > -jNFLOG > # iptables -A FORWARD -p udp -d 192.168.1.220 --dport 12340:13340 -j > ACCEPT > >>>> nmap: 2nd round > 2010-02-09T21:53:59Z L4 hook=PREROUTING mark=0 IN=eth0 OUT= > MAC=00:00:00:00:00: > 00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.254 LEN=28 > TOS=0x00 P > REC=0x00 TTL=45 ID=15316 PROTO=UDP SPT=51921 DPT=12341 LEN=8 > 2010-02-09T21:53:59Z L4 hook=FORWARD mark=0 IN=eth0 OUT=eth0 > MAC=00:00:00:00:00 > :00:00:0c:29:b2:87:6c:08:00 SRC=192.168.1.220 DST=192.168.1.220 LEN=28 > TOS=0x00 > PREC=0x00 TTL=44 ID=15316 PROTO=UDP SPT=51921 DPT=12356 LEN=8 <<< > out-of-range well, not as it should be... > I did a quick look at net/ipv4/netfilter/nf_nat_proto_udp.c, and changed > the line 44 in function "udp_unique_tuple()": > - static u_int16_t port; > + u_int16_t port; > and the out-of-range problem goes away. Not sure what else this change > might break. Similar changes must also be done for tcp. > did you try a newer kernel 2.6.32.x? Best regards Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
