Reputation: 199
understanding netfilter REDIRECT Target
just playing around with the netfilter REDIRECT-Target . i am wondering how the destination port is altered when using "--to-ports" (plural).
iptables -I PREROUTING -t nat -i test -p TCP --dport 2800 -j REDIRECT --to-ports 2900-2905
1st match/hit 2800 -> 2900 ?
2nd match/hit 2800 -> 2901 ?
3nd match/hit 2800 -> 2902 ?
in my tests the only port that has been used was the first: 2900 . the range-argument "--to-ports" is confusing for me in this case . does the orginal port affect the port that is being used from the range? which port is used when, when specifying a range with "--to-ports" ? "--to-port" works too, but is not mentioned in the man-page .
thanks.
Upvotes: 1
Views: 1711
Answers (1)
Reputation: 5275
netfilter is stateless, it can't track port status, so round-robin is impossible to implement.
this parameter is intent to resolve port conflict problem, for example check this rule:
iptables -t nat -A PREROUTING -p tcp --dport 1000:2000 -j REDIRECT --to-ports 2900
if a client wants to establish 2 connections
client:3000 <---> server:1000
client:3000 <---> server:1001
it is possible because client can reuse its port. it will cause problem if the server redirect both connections to port 2900, the two connections become identical.
so the server need multiple redundancy ports to avoid this problem. but if the client do not reuse its port, this wont happen.
Upvotes: 1
Related Questions
- Retrieving original destination from iptables after REDIRECT
- Can't get nftables to redirect port 80 to 8080
- Iptables NAT and Masquerade rules - what do they do?
- Basic Netfilterqueue usage Python
- iptables Forward policy doesn't work
- iptables netfilter copying the packet
- Removing specific iptables rule
- iptables moving from filter table back to nat table
- Source and destination port of ICMP packet
- iptables port redirection