iptables NAT forward range

Question

I have two network interfaces, eth0 and eth1. eth0 has a public ip, eth1 has 172.16.0.254/24.

I'd like to do the following mapping:

172.16.0.1:22 -> eth0's public ip:2001
172.16.0.2:22 -> eth0's public ip:2002
172.16.0.3:22 -> eth0's public ip:2003 
...
172.16.0.100:22 -> eth0's public ip:2100

I read that iptables supports ranges, but I don't get it working.

How can I achieve this?

Thanks.

What does ranges have to do with this? – Michael Hampton Apr 06 '14 at 18:23 — Michael Hampton, Apr 06 '14 at 18:23
172.16.0.[1-100]:22 to public-ip:[2001-2100]? – rralf Apr 06 '14 at 18:35 — rralf, Apr 06 '14 at 18:35

score 1 · Answer 1 · answered Apr 06 '14 at 18:47

I'm pretty sure you can't do that with iptables natively. You have ip ranges, multiport, but AFAIK you can not map an IP range to a port range.

However this can be solved quite easily with a small bash script :

for i in $(seq 1 100); do iptables -t nat -A PREROUTING -i eth0 -p tcp -d 172.16.0.$i --dport 22 -j REDIRECT --to-port 2`printf "%03d" $i`; done

... assuming your server(s) opening 2001-2100 are listening (binded) to all interfaces (0.0.0.0) and you're using TCP.

You might want to use DNAT target and -p udp respectively if this is not the case.

If having 100 rules in the PREROUTING chain is a concern for (readability or maintenance), you can create your own chain instead and jump to it from PREROUTING.

iptables NAT forward range

1 Answers1