Hi Folks: I am either using the multiport of the -m or --match option of iptables in correctly or there is a bug with it. Is anyone else using it with no problem? This is the way I am trying to use it: my_ports=21,25,80 iptables -t nat -A PREROUTING -i $wan_addr -p tcp -m multiport --dports $my_ports -j DNAT --to $my_internal_address I have used this in the past successfully but that was a few years ago. I get no errors or warnings it just ignors the ports. The multiport invokation shows up in an iptables -t nat -L -v however. The packet and byte counts never get incremented either from zero. Any pointers would sure be helpful, having to include a line for every port check seems wasteful. Kirk -- Kirk Reiser The Computer Braille Facility e-mail: kirk@braille.uwo.ca University of Western Ontario phone: (519) 661-3061
CCed netfilter-devel. Kirk Reiser wrote:> Hi Folks: I am either using the multiport of the -m or --match option > of iptables in correctly or there is a bug with it. Is anyone else > using it with no problem? This is the way I am trying to use it: > > my_ports=21,25,80 > iptables -t nat -A PREROUTING -i $wan_addr -p tcp -m multiport > --dports $my_ports -j DNAT --to $my_internal_address > > I have used this in the past successfully but that was a few years > ago. I get no errors or warnings it just ignors the ports. The > multiport invokation shows up in an iptables -t nat -L -v however. > The packet and byte counts never get incremented either from zero. > > Any pointers would sure be helpful, having to include a line for every > port check seems wasteful.Please post your kernel version, your iptables version and the output of iptables -vxnL.
On Wed, 2006-03-15 at 06:47 -0500, Kirk Reiser wrote:> Hi Folks: I am either using the multiport of the -m or --match option > of iptables in correctly or there is a bug with it. Is anyone else > using it with no problem?I am using it and no functional problems. :)> I have used this in the past successfully but that was a few years > ago. I get no errors or warnings it just ignors the ports. The > multiport invokation shows up in an iptables -t nat -L -v however. > The packet and byte counts never get incremented either from zero.Well that''s another story. In my case most of my byte counters never get incremented either. However the rules are working, since packets are comping and going. No way for them to otherwise. I believe there is a bug on the counters portion. But it''s not across the board because some of my multi port counters get incremented. And some do not. Linux version 2.6.14-hardened-r5 (root@lrt) (gcc version 3.4.5 (Gentoo Hardened 3.4.5, ssp-3.4.5-1.0, pie-8.7.9)) iptables v1.3.4 -- Sincerely, William L. Thomson Jr. Obsidian-Studios, Inc. http://www.obsidian-studios.com
Patrick McHardy <kaber@trash.net> writes:> Please post your kernel version, your iptables version and the > output of iptables -vxnL.Woops! The kernel is linux 2.6.15.6 and the iptables is 1.3.3. I will have to reconstruct the script using multiport so that will take some time to get the iptables -vxnL. Kirk -- Kirk Reiser The Computer Braille Facility e-mail: kirk@braille.uwo.ca University of Western Ontario phone: (519) 661-3061
Kirk Reiser wrote:> Patrick McHardy <kaber@trash.net> writes: > > >>Please post your kernel version, your iptables version and the >>output of iptables -vxnL. > > > Woops! The kernel is linux 2.6.15.6 and the iptables is 1.3.3. I > will have to reconstruct the script using multiport so that will take > some time to get the iptables -vxnL.IIRC we had a bug in iptables with revision matching (which affects multiport), could you try the latest version?
Patrick McHardy <kaber@trash.net> writes:> IIRC we had a bug in iptables with revision matching (which affects > multiport), could you try the latest version?If you want to give me a pointer to it or to cvs I''d be happy to. To my previous problem it appears that I was mistaken. I was trying to use nc with port 25 when testing and forgot that our ITS department had port 25 blocked up stream so it wasn''t iptables fault at all. Took me some tcpdump monitoring to realize the packets were never even getting to the box running the iptables script. Subsequent test with multiport statements appear to be running okay so far. Kirk -- Kirk Reiser The Computer Braille Facility e-mail: kirk@braille.uwo.ca University of Western Ontario phone: (519) 661-3061