iptables REDIRECT --to-ports range
I have this rule
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 1234 -j REDIRECT --to-ports 12345-12347
There's actually two Qs
- it suppose to redirect connections to 3 different ports 12345 12347 12347, however my serwer seems to ignore the last port 12347 - no connection is redirected there. Any ideas?
- if new connections arrives, how is determined destination port for this new connection? round-robin, least-occupied, firt-that-connects, etc. ?
Linux server 2.6.19-1.2911.fc6PAE #1 SMP Sat Feb 10 15:16:17 EST 2007 i686 athlon i386 GNU/Linux
Some document references please. No IMHO please.
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 1234 -j REDIRECT --to-ports 12345-12347
There's actually two Qs
- it suppose to redirect connections to 3 different ports 12345 12347 12347, however my serwer seems to ignore the last port 12347 - no connection is redirected there. Any ideas?
- if new connections arrives, how is determined destination port for this new connection? round-robin, least-occupied, firt-that-connects, etc. ?
Linux server 2.6.19-1.2911.fc6PAE #1 SMP Sat Feb 10 15:16:17 EST 2007 i686 athlon i386 GNU/Linux
Some document references please. No IMHO please.
ASKER
> -j REDIRECT --to-ports 192.168.1.1:12345 192.168.1.1:12346 192.168.1.1:12347
this above is invalid.
I found that it's simply bug. And in fact only first port is beeing choosen everytime.
this above is invalid.
I found that it's simply bug. And in fact only first port is beeing choosen everytime.
To accomplish this I typically use a mirror port.
Are you perhaps working through a managed switch?
Are you perhaps working through a managed switch?
ASKER
No, it's not managed switch. And I don't think mirror port is suitable for me.
My goal is to distribute connections to various local tcp/ports.
I workarounded this, but was wandering why --to-ports is not working.
My goal is to distribute connections to various local tcp/ports.
I workarounded this, but was wandering why --to-ports is not working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx Nopius, I did such investigation as well. Unfortunatelly misunderstood it.
Filled http://bugzilla.kernel.org/show_bug.cgi?id=8325, which should answer everything.
Indeed it alwas chooses first port, unless it can't (maybe other rule conflicts with this one).
Since not really answered, B only.
Filled http://bugzilla.kernel.org/show_bug.cgi?id=8325, which should answer everything.
Indeed it alwas chooses first port, unless it can't (maybe other rule conflicts with this one).
Since not really answered, B only.
ravenpl. thank you for points. I don't have Linux locally to patch and test kernel, only sources... If this feature is impotent for you, It would be helpful to insert some printk() statements in netfilter code and see what really happens... From just viewing sources I may miss something impotent...
Can you please check to see what the filter layout says about why it's not working with:
iptables -L -vn
and
iptables -L -vn -t nat
And also check the PREROUTE rule to be sure you have the real IP addresses being prepended. That is to say if PREROUTE were'nt enacted, you'ld need a rule that looks like:
-j REDIRECT --to-ports 192.168.1.1:12345 192.168.1.1:12346 192.168.1.1:12347
I think it just hooks on the first available port. I don't know of any mechanism that allows round robin here, although you may be able to build that out.