1

My line in /etc/network/interfaces is as follows:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 7997 -j DNAT --to 10.4.0.3:22

It seems to work fine to forward SSH, and in other similar rules; HTTP and HTTPS traffic as well. When I look at the man pages the directive:

--to

appears to do something completely different to:

--to-destination

which is the directive I would expect. There are 4 mentions of "--to " in the iptables extensions man page. Which one is being used?

Why does it still work? Is it correct usage? If not is it safe to use in this way or should I change it to --to-destination?

Adam G.
  • 31
  • 1
  • 5

1 Answers1

3

The xtables (arptables/ebtables/iptables/ip6tables) parser allows to use the short names of match/target options if it can be recognized: the parser of arguments tries to guess the option by compare of beginning of argument string with option name. But it isn't always safe. Match options have more high priority in order of recognition than target options.

Example of unsafe usage of --to option:

:~# iptables -t nat -A PREROUTING -p udp -m string --string "badword" \ -j DNAT --to 192.168.10.1 iptables v1.6.2: string: bad value for option "--to", or out of range (0-65535). Try `iptables -h' or 'iptables --help' for more information.

In this example the parser has recognized the --to option as option of the string match, and the command fails, because the subparser of the string match expects an integer value, not an ip address.

But this version of same command will be executed without errors:

:~# iptables -t nat -A PREROUTING -p udp -m string --st "badword" --al bm \ -j DNAT --to-d 192.168.10.1

In this example:

  • --st = --string
  • --al = --algo
  • --to-d = --to-destination

Also, you cannot use the short versions of match and target names.

Anton Danilov
  • 5,082
  • 2
  • 13
  • 23