Re: dnat port range to single port, udp, between two local machines on a LAN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/31/2017 11:28 AM, Brian Bostwick wrote:

Hi, I am running DD WRT and trying to use iptables to change the
destination port based on a port range used by the source connection.
I am not very well versed with this tool, but have had success doing
similar things, but not using a port range and over TCP.

I am using two rules, after scourging the internet for help. The
answer I found says that I can do DNAT in the PREROUTING, but I have
to have an SNAT rule in the POSTROUTING back to the source IP.

Here are my two rules:

iptables -t nat -A PREROUTING -p udp --dport 45000:65000 -j DNAT
--to-destination 192.168.1.131:5000

iptables -t nat -A POSTROUTING -p udp -d 192.168.1.131 --dport
45000:65000 -j SNAT --to-source 192.168.1.122

I don't think the second one makes sense, because I believe I would
need to specify the exact destination port (original source port),
which I do not have because it is a rule based off a range.

In Wireshark, I see no change:

142243 1078.651017 192.168.1.122 192.168.1.131 UDP 144 9296 → 55900 Len=102

I hopes this makes sense. Basically, I would like to change the
destination port going from A to B, where the originating packet will
be on a port range and UDP. Is this possible between two local
machines behind the same router?

Thanks!
It sounds like what you are trying to do is many:one hairpin NAT between two machines on the same subnet, which is Very Ugly. To actually do it on the router, you would need something like this (not tested):
iptables -t nat -A PREROUTING -d 192.168.1.1 --dport 45000:65000 -j DNAT --to-destination 192.168.1.131:5000 iptables -t nat -A POSTROUTING -d 192.168.1.131 --dport 5000 -j SNAT --to=source 192.168.1.1
Then when 192.168.1.122 wants to communicate with 192.168.1.131, it has to use the address 192.168.1.1 (the address of the router) instead. If it uses the address of the actual destination, its operating system knows that address is on the same subnet and sends the packets directly to the MAC of the destination instead of to the router.
If "192.168.1.131" is a Linux device it would be better to just add this rule to that device directly:
iptables -t nat -A INPUT -p udp --dport 45000-65000 -j REDIRECT --to-ports 5000 

Other operating systems probably have something equivalent.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux