Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 16/09/2021 à 14:58, Pablo Neira Ayuso a écrit :

[...]
so you want to redirect all ports except a few of them?

   add map x mymap { type ipv4_addr : ipv4_addr ; }
   add rule x y ip protocol { tcp, udp } th dport 1-65534 dnat to ip saddr map @mymap

This allows you to dnat depending on the IP source address, skipping 0
and 65535 for TCP and UDP.


I don't get I so lets be more explicite with an example.
I want to redirect udp port 10000-20000 to another IP (typically asterisk RTP ports from host to a VM) What I have today which work with single ports (bash script, yes I know ;))
    $fwtables add map $1 nat fwdtoip_tcp.$IFACE { type inet_service : $mytype\; flags interval\; }     $fwtables add map $1 nat fwdtoip_udp.$IFACE { type inet_service : $mytype\; flags interval\; }     $fwtables add map $1 nat fwdtoport_tcp.$IFACE { type inet_service : inet_service\; flags interval\;}     $fwtables add map $1 nat fwdtoport_udp.$IFACE { type inet_service : inet_service\; flags interval\;}     $fwtables add map $1 nat redirect_tcp.$IFACE { type inet_service : inet_service\; flags interval\;}     $fwtables add map $1 nat redirect_udp.$IFACE { type inet_service : inet_service\; flags interval\;} 

where $1 is ip or ip6, $mytype is ipv4_addr or ipv6_addr
Then from a list of ports I extract each value -including ranges like above exemple- and do 

If src address != to dst address
$fwtables add element $1 nat fwdtoip_$myproto.$IFACE { $tmpsport : $mydaddr } $fwtables add element $1 nat fwdtoport_$myproto.$IFACE { $tmpsport : $tmpdport } ; this is not accepted when a range is given like 10000-20000 

If src address = dst address
$fwtables add element $1 nat redirect_$myproto.$IFACE { $tmpsport : $tmpdport }
where $1 is ip or ip6, $myproto is udp or tcp, $tmpsport port or range of port to redirect, $myaddr is destination ip. $tmpdport can be equal or a different value from $tmpsport 

Finally rules
$fwtables add rule ip nat prerouting ip daddr == $myaddripv4 dnat tcp dport map @fwdtoip_tcp.$IFACE : tcp dport map @fwdtoport_tcp.$IFACE $fwtables add rule ip nat prerouting ip daddr == $myaddripv4 dnat udp dport map @fwdtoip_udp.$IFACE : udp dport map @fwdtoport_udp.$IFACE $fwtables add rule ip nat prerouting ip daddr == $myaddripv4 meta l4proto tcp dnat to : tcp dport map @redirect_tcp.$IFACE $fwtables add rule ip nat prerouting ip daddr == $myaddripv4 meta l4proto udp dnat to : udp dport map @redirect_udp.$IFACE
This works perfectly with single ports but as soon as I want to redirect a range of ports it fail.
Where is my mistake ? Is it to complicate to achieve something which should be easy ? 

Thanks for your support and ideas

--
Daniel
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux