Hello,
On the 'forwarder' machine with ip address of 10.0.0.1 I set up port forwarding using firewalld from of5001-5002/tcp range to ports 6001-6002 of 10.0.0.2 machine. Now when I connect to 10.0.0.1 from a third machine to ports 5001 or 5002 both connections go to port 6001 of the 10.0.0.2 machine; no connection ever goes to port 6002. So what's the purpose of having range if connections to all 'forward-from-ports' always go to the first port from the 'forward-to-ports' range? What am I missing?
Thank you, Rufe
On 10/04/2014 12:22 AM, Rufe Glick wrote:
Hello,
On the 'forwarder' machine with ip address of 10.0.0.1 I set up port forwarding using firewalld from of5001-5002/tcp range to ports 6001-6002 of 10.0.0.2 machine. Now when I connect to 10.0.0.1 from a third machine to ports 5001 or 5002 both connections go to port 6001 of the 10.0.0.2 machine; no connection ever goes to port 6002. So what's the purpose of having range if connections to all 'forward-from-ports' always go to the first port from the 'forward-to-ports' range? What am I missing?
No idea, sorry.
Your example creates the following rules:
*mangle -A PRE_public_allow -p tcp -m tcp --dport 5001:5002 -j MARK --set-xmark 0x64/0xffffffff
*nat -A PRE_public_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination 10.0.0.2:6001-6002
Description of DNAT's --to-destination in iptables-extensions man page does not explain how it should actually work. I tried to find some answers via Google, but without any luck.
Thomas, any ideas ?
-- Jiri
firewalld-users@lists.fedorahosted.org