Hello,
Hamed Afshar a écrit :
> Hi,
> I need to manipulate all output requests for an IP range and change the destination port.
> For a specific IP, the following rule works for me:
>
> iptables -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 22 -j DNAT --to-destination 1.2.3.4:555
>
> which is changing the destination port to 555 on all outgoing requests for port 22 for IP 1.2.3.4.
> But I need to apply this to an IP range.
> something like this:
>
> iptables -t nat -A OUTPUT -p tcp -d 1.2.3.0/24 --dport 22 -j DNAT --to-destination 1.2.3.0/24:555
>
> to do the following:
> 1.2.3.1:22 => 1.2.3.1:555
> 1.2.3.2:22 => 1.2.3.2:555
> 1.2.3.3:22 => 1.2.3.3:555
> etc
>
> iptables accepts IP range with "-d" switch. but as for "--to-destination", it doesn't accept IP range.
Yes it does. The DNAT section in the iptables man page states :
--to-destination [ipaddr][-ipaddr][:port[-port]]
which can specify a single new destination IP address, an inclu-
sive range of IP addresses, and optionally, a port range (which
is only valid if the rule also specifies -p tcp or -p udp).
But address range do not act as a 1:1 mapping, rather as a round-robin
or random mapping.
> Does anyone have any idea how should I do this?
The man page gives the answer in the following lines :
If
no port range is specified, then the destination port will never
be modified. If no IP address is specified then only the desti-
nation port will be modified.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
