Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergey Vasiliev2021-07-10 13:15:38
iptables
Sergey Vasiliev, 2021-07-10 13:15:38

How does iptables work?

Hello fellow smart people. There is this rule:

-A PREROUTING -d 0.0.0.0/32 -i eth0 -p tcp -m tcp ! --dport 22 -j DNAT --to-destination 10.200.1.5

How can I replace port 22 with port 22 + port range 1100-1200, I tried to substitute 22.1100:1200, it did not work.

Immediately the second question. More difficult. How to redirect UDP traffic from xxxx:N to yyyy:N through iptables, and N is a certain identical port from the range 1100-1200, is it really possible to write a separate line for each port?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
H
hint000, 2021-07-10
@hint000

second question. More difficult.
It's actually not harder, google it in 10 seconds:
https://serverfault.com/questions/594835/what-is-t...
-A PREROUTING -d x.x.x.x -p udp --dport 1100:1200 -j DNAT --to-destination y.y.y.y

For the first question, try this
-A PREROUTING -i eth0 -p tcp -m multiport ! --dports 22,1100:1200 -j DNAT --to-destination 10.200.1.5

I'm not sure what multiport will work with negation, try it, if it doesn't work, then we'll come up with another option.
(I threw out the -d 0.0.0.0/32 fragment as meaningless)
Upd .: Multiport
option without negation:
-A PREROUTING -i eth0 -p tcp -m multiport --dports 1:21,23:1100,1200:65535 -j DNAT --to-destination 10.200.1.5

The option without multiport and without negation already has to be divided into three rules instead of one:
-A PREROUTING -i eth0 -p tcp --dport 1:21 -j DNAT --to-destination 10.200.1.5
-A PREROUTING -i eth0 -p tcp --dport 23:1100 -j DNAT --to-destination 10.200.1.5
-A PREROUTING -i eth0 -p tcp --dport 1200:65535 -j DNAT --to-destination 10.200.1.5

Upd.:
It says here that multiport does not accept both a list and a range: https://www.opennet.ru/base/net/iptables_treasures... instead, the mport extension is offered
-A PREROUTING -i eth0 -p tcp -m mport ! --dports 22,1100:1200 -j DNAT --to-destination 10.200.1.5

Similar questions
T
Talyan2019-09-19 12:30:24
How to put MAC in the desired VLAN? 3Reply
S
Sergey Torop2015-04-27 16:37:00
How and where to correctly register your iptables NAT rules in the host system in KVM? 4Reply
I
IsaevDev2017-04-19 22:06:06
How to open a port in iptables for private network only? 1Reply
D
Dmitry Shvedchenko2015-05-08 13:38:30
How to forward IPsec traffic to another subnet? 1Reply
K
Kirill Kazakov2015-06-16 13:45:28
How to configure routing relative to guest OS with redirection by domain_name on one port? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question