iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p tcp --dport 1001 -j DNAT
--to-destination 1.1.1.1:2222
iptables -t nat -A PREROUTING -p tcp --dport 1002 -j DNAT
--to-destination 2.2.1.1:1234
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p udp --dport 1000 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT
--to-destination 8.8.8.8:53
iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT
--to-destination 2.2.2.21234
(many of these)
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
2015-09-21 16:49 GMT+08:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> On Mon, Sep 21, 2015 at 10:09:25AM +0800, 神楽坂玲奈 wrote:
>> I'm doing many port forwarding service on a linux server. There will
>> be many(may thousands of) port forward rule so I want to use nftables
>> map to improve performance rather than just many rules.
>>
>> the policy will be [protocol : port -> address : port], like [tcp 1234
>> -> 1.1.1.1:4321], forward tcp 1234 port to address 1.1.1.1 same
>> protocol port 4321.
>> the protocol may only tcp and udp. so it's also ok if the key can
>> support only one port field. i can set maps and rules for each
>> protocol.
>>
>> the problem is, how to define the value "ip:port" using map?
>>
>> I tried create 2 maps, using
>>
>> > nft add map nat forward_address {type inet_service : ipv4_addr \;}
>> > nft add map nat forward_port {type inet_service : inet_service \;}
>>
>> but then I don't know how to set dnat rule....... seems the dnat
>> destnation can only accept one map value? and also i don't know how to
>> set "ip:port" as one value in map.
>
> Could you provide an example of your iptables ruleset? Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
