Iptables NETMAP issues


i setup a working OpenVPN server on OpenWRT 19.07 on a TL-WDR3600

I need to access devices on lan ( but my remote lan is ( too.

I try to add those commands : https://www.linuxtopia.org/Linux_Firewall_iptables/x4471.html
iptables -t nat -A PREROUTING -d -j NETMAP --to
I get this message : iptables v1.8.3 (legacy): unknown option "--to"

I need your help !

Thank you


I discover there is a NETMAP extension to use with iptables on Openwrt !

Does someone know how to load module with iptables.
I try to put iptables -m with no success.
iptables v1.8.3 (legacy): Couldn't load match `iptables-mod-dnetmap':No such file or directory
Thank you.

Have you installed both iptables-mod-dnetmap and kmod-ipt-dnetmap ?
Is the module loaded in lsmod?

Yes, i have installed the both extensions with opkg and the module is not loaded in lsmod.
What can i do for now, i'am lost :slight_smile: Thank you for your help.

Load it first to verify it is working and then add it in /etc/modules.d/ to be available in the next boot.

I don't know how to load it ! i got this file on /usr/lib/iptables : libxt_DNETMAP.so

What is the output of opkg files kmod-ipt-dnetmap ; echo ; opkg files iptables-mod-dnetmap ?

Package kmod-ipt-dnetmap (4.14.171+2.14-8) is installed on root and has the following files:

Package iptables-mod-dnetmap (2.14-8) is installed on root and has the following files:

You can load the module with insmod or modprobe. Or you can reboot the router and it will be loaded on next boot.

I reboot the router and have the same issue when i type the command. I dont know what i have to put after iptables -m (my command)

If you run again the lsmod, can you see xt_DNETMAP loaded?

Yes xt_DNETMAP is loaded but how to use it ?

Try it this way:
iptables -t nat -A PREROUTING -d -j DNETMAP --prefix
It worked for me at least.

1 Like

Thank you so much ! But why you change --too to --prefix ? i don't understand !
Without module installed i got this answer :

iptables v1.8.3 (legacy): unknown option "--prefix"

Well, you'll definitely need the module and apparently this is the correct syntax for this version of NETMAP. Don't ask, I was googling for half an hour to find it, everyone was using the --to with NETMAP, but apparently DNETMAP is different.

Ok, thank you again.

Now, i can try to go to the next step using iptables commands !

1 Like

Hi All,

I come back after few days, making lot of tests from some treats,
I just got one time a response from a natted IP, but i can't reproduce the conditions of this little success

I don't know if DNETMAP is really working like NETMAP, i will make some try on Ubuntu Server.

Have look here with examples.
From what I understand the DNETMAP is an enhanced version of NETMAP.

Thank you for your reply,

I make a test with a simple DNAT rule to change the destination address and it works directly ! is the "virtual ip" and is the real host on lan side.

iptables -t nat -A PREROUTING -d -j DNAT --to-destination

and if i type :
iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -d -j DNETMAP --prefix
nothing happen.

there is an exemple here with NETMAP

Does DNETMAP works really ?

Again you are looking at NETMAP, while this is DNETMAP.
Check the 3rd example from the ubuntu manpage link I posted above. It seems to be using DNETMAP on both PRE and POSTROUTING.