Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergey Vasiliev2021-07-10 13:15:38
iptables
Sergey Vasiliev, 2021-07-10 13:15:38

How does iptables work?

Hello fellow smart people. There is this rule:

-A PREROUTING -d 0.0.0.0/32 -i eth0 -p tcp -m tcp ! --dport 22 -j DNAT --to-destination 10.200.1.5

How can I replace port 22 with port 22 + port range 1100-1200, I tried to substitute 22.1100:1200, it did not work.

Immediately the second question. More difficult. How to redirect UDP traffic from xxxx:N to yyyy:N through iptables, and N is a certain identical port from the range 1100-1200, is it really possible to write a separate line for each port?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
H
hint000, 2021-07-10
@hint000

second question. More difficult.
It's actually not harder, google it in 10 seconds:
https://serverfault.com/questions/594835/what-is-t...
-A PREROUTING -d x.x.x.x -p udp --dport 1100:1200 -j DNAT --to-destination y.y.y.y

For the first question, try this
-A PREROUTING -i eth0 -p tcp -m multiport ! --dports 22,1100:1200 -j DNAT --to-destination 10.200.1.5

I'm not sure what multiport will work with negation, try it, if it doesn't work, then we'll come up with another option.
(I threw out the -d 0.0.0.0/32 fragment as meaningless)
Upd .: Multiport
option without negation:
-A PREROUTING -i eth0 -p tcp -m multiport --dports 1:21,23:1100,1200:65535 -j DNAT --to-destination 10.200.1.5

The option without multiport and without negation already has to be divided into three rules instead of one:
-A PREROUTING -i eth0 -p tcp --dport 1:21 -j DNAT --to-destination 10.200.1.5
-A PREROUTING -i eth0 -p tcp --dport 23:1100 -j DNAT --to-destination 10.200.1.5
-A PREROUTING -i eth0 -p tcp --dport 1200:65535 -j DNAT --to-destination 10.200.1.5

Upd.:
It says here that multiport does not accept both a list and a range: https://www.opennet.ru/base/net/iptables_treasures... instead, the mport extension is offered
-A PREROUTING -i eth0 -p tcp -m mport ! --dports 22,1100:1200 -j DNAT --to-destination 10.200.1.5

Similar questions
I
IPv42015-01-14 13:59:24
How can you collect a database of "stray" IP addresses? 4Reply
C
chief2019-06-23 14:21:27
How to make fail2ban on OpenWRT? 1Reply
D
Denis2015-02-17 09:37:42
How to solve the problem with access between two local subnets (Shorewall)? 3Reply
C
C_hard2019-07-19 13:28:14
How to put PREROUTING iptables through a filter? 3Reply
M
Misty Hedgehog2015-02-27 16:33:00
Strange behavior of iptables - what could be the reason? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question