2

I want to use iptables to set DNAT target. The multi-port virtual server is the purpose that I want to do. But I found that DNAT cannot map multi-port to destination multi-port. e.g.

iptables -t nat -A PREROUTING -p tcp --dport 1000:2000 -j DNAT --to-destination 192.168.1.100:3000-4000

I think this rule should be 1000 ------> 3000 1001 ------> 3001 ........................... 2000 ------> 4000

I tried to use whireshark to capture packets. No matter original packets are 1000, 1001, 2000 and so on, they seem translate to port 3000 only. That's wired the iptables only mapping many ports to one port.

Any advise ?

Thanks.

user1190887
  • 111
  • 1
  • 7
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Jun 14 '18 at 01:05

1 Answers1

2

iptables-extensions' man page states that kernel 2.6.11-rc1 and newer don't support specifying multiple destination ports:

In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.

Yoel
  • 9,144
  • 7
  • 42
  • 57
  • 1
    Thank for your suggestion. Multiple destination ports seem work on the same port range, such as 30000:31000 <----> 30000:31000. The iptables can assign this action without setting port range in "--to-destination". Back to the point if I want to assign different multiple destination ports, such as 30000:31000 ----> 40000:41000. Should I add 1000 rules with iptables that mapping by myself ? – user1190887 Apr 06 '16 at 03:07
  • That would work, but I'm not sure how efficient it would be. You can also try writing your own *iptables* extension module, but that requires some serious know-how... – Yoel Apr 06 '16 at 10:55