Efficient 1-to-1 DNAT of range of ports

Charlie Brady charlieb-netfilter at budge.apana.org.au
Fri Apr 29 22:23:26 CEST 2005


The semantics of:

iptables  -t nat --append PREROUTING -p udp --dport nn:mm -j DNAT \
  --to-destination a.b.c.d:pp-qq

I find somewhat surprising. It appears to be an efficient way to forward a 
range of ports. But it doesn't work that way. To forward a range of ports 
it seems to that one needs to do:

s=nn
d=pp
while [ $d -ge $s ]
do
  iptables  -t nat --append PREROUTING -p udp --dport $s -j DNAT \
     --to-destination a.b.c.d:$d
  s=$(expr $s + 1)
  d=$(expr $d + 1)
done

This certainly isn't efficient, and can be rather slow. Presumably it can 
cause large tables to be built in the kernel.

Is there a better way to do it? Has anyone built a module to do 1-to-1 NAT 
of a port range? Are the current semantics of a range to range DNAT 
useful? If not, how hard would it be to change?

Thanks

---
Charlie



More information about the netfilter mailing list