I am trying to figure out how to set up exclusive port mappings, e.g. so
that port 1025 on the gateway is mapped to 192.168.1.2:1200 and port
2025 is mapped to 192.168.1.3:2300, each in both directions, and nothing
else can get those external ports. For example:
iptables -t nat -A PREROUTING -i eth0 -p udp -d 128.66.0.1 --dport 1025
-j DNAT --to-destination 192.168.1.2:1200
iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.2 --sport
1200 -j SNAT --to-source 128.66.0.1:1025
iptables -t nat -A PREROUTING -i eth0 -p udp -d 128.66.0.1 --dport 2025
-j DNAT --to-destination 192.168.1.3:2300
iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.3 --sport
2300 -j SNAT --to-source 128.66.0.1:2025
iptables -t nat -A POSTROUTING -o eth0 -p udp -j SNAT --to-source
128.66.0.1:49152-65535
The problem is that is translating all the other ports on all the other
clients to 49152-65535 and I want to avoid unnecessary port translation.
The ideal thing would be to make the last line something like this:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
128.66.0.1:1-1024,1026-2024,2026-65535
But apparently that isn't supported. You get 98% of the way there with this:
iptables -t nat -A POSTROUTING -o eth0 -p udp ! -s 192.168.1.2 --sport
1025 -j SNAT --to-source 128.66.0.1:49152-65535
iptables -t nat -A POSTROUTING -o eth0 -p udp ! -s 192.168.1.3 --sport
2025 -j SNAT --to-source 128.66.0.1:49152-65535
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 128.66.0.1
The problem then is if there is a conflict between clients using any
source port, the second client will get port 1024 and the third will get
port 1025 which should not be allowed. (This is obviously not going to
be common but it complicates things if it can happen at all and
adversarial clients could do it on purpose.)
Another possibility would be to do this:
iptables -t nat -A POSTROUTING -o eth0 -p udp --sport 1-1024 -j SNAT
--to-source 128.66.0.1:1-1024
iptables -t nat -A POSTROUTING -o eth0 -p udp --sport 1025-2024 -j SNAT
--to-source 128.66.0.1:1026-2024
iptables -t nat -A POSTROUTING -o eth0 -p udp --sport 2025-65535 -j SNAT
--to-source 128.66.0.1:2026-65535
That works as long as the mapped ports are far apart, but it's quite
ugly and if any of the port ranges are very small then all the ports
could get used up and cause conflicting sessions to be dropped on the
floor even though there are many other free ports.
Is there any good way to exclude arbitrarily many specific ports from SNAT?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
