Nico Rittner
Nico Rittner

Reputation: 199

understanding netfilter REDIRECT Target

just playing around with the netfilter REDIRECT-Target . i am wondering how the destination port is altered when using "--to-ports" (plural).

iptables -I PREROUTING -t nat -i test -p TCP --dport 2800 -j REDIRECT --to-ports 2900-2905

1st match/hit 2800 -> 2900 ?
2nd match/hit 2800 -> 2901 ?
3nd match/hit 2800 -> 2902 ?

in my tests the only port that has been used was the first: 2900 . the range-argument "--to-ports" is confusing for me in this case . does the orginal port affect the port that is being used from the range? which port is used when, when specifying a range with "--to-ports" ? "--to-port" works too, but is not mentioned in the man-page .

thanks.

Upvotes: 1

Views: 1711

Answers (1)

Zang MingJie
Zang MingJie

Reputation: 5275

netfilter is stateless, it can't track port status, so round-robin is impossible to implement.

this parameter is intent to resolve port conflict problem, for example check this rule:

iptables -t nat -A PREROUTING -p tcp --dport 1000:2000 -j REDIRECT --to-ports 2900

if a client wants to establish 2 connections

client:3000 <---> server:1000
client:3000 <---> server:1001

it is possible because client can reuse its port. it will cause problem if the server redirect both connections to port 2900, the two connections become identical.

so the server need multiple redundancy ports to avoid this problem. but if the client do not reuse its port, this wont happen.

Upvotes: 1

Related Questions