Iptables --to-ports option with REDIRECT target (bug ?)

Question

I'm trying to redirect a incoming udp traffic (514) to two ports (10514 and 10515) with iptables. On the man page of iptables-extensions for the target REDIRECT the syntax is "--to-ports port[-port]"

It is mentionned that you can specify a single port but also a range, but i can't manage to make it work on a range. It seem to only take the first port of the range.

The software is listening on the two ports

Here is the rules i am using and a iptables -nvL:

iptables -A INPUT -p udp --dport 10514 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p udp --dport 10515 -s 10.0.0.0/8 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 514 -j REDIRECT --to-ports 10514-10515

Chain PREROUTING (policy ACCEPT 1550 packets, 93888 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  424 72586 REDIRECT   udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:514 redir ports 10514-10515


Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

68854   14M ACCEPT     udp  --  *      *       10.0.0.0/8           0.0.0.0/0            udp dpt:10514
    0     0 ACCEPT     udp  --  *      *       10.0.0.0/8           0.0.0.0/0            udp dpt:10515

You are showing INPUT rules, add the NAT rules as well: `iptables -t nat -nvL` — Lenniey, Sep 06 '19 at 11:45
Are these multiple connections to port 514? Do you want to load balance? — Lenniey, Sep 06 '19 at 12:29
Yes, from syslog servers. It's only for testing purpose for a graylog server. Two udp input are configured on the graylog server, but traffic is only received on the 10514 port as we can see. It's not for load balancing — Kater, Sep 06 '19 at 12:31

score 1 · Answer 1 · answered Sep 06 '19 at 13:18

So i can answer to my own question now !

https://serverfault.com/a/741108/538674

This Target may be the solution to the problem without disabling connection tracking but it need a recent kernel

TEE The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired.

--gateway ipaddr
    Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid. 

To forward all incoming traffic on eth0 to an Network Layer logging box:

-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1

Iptables --to-ports option with REDIRECT target (bug ?)

1 Answers1