iptables – How to Change Destination IP Without DNAT

iptables

I'm trying to workaround a broken application which insists on connecting to the private address (and thus unreachable) of a server, instead of connecting to the public address (even if the relevant port is open). Changing the application is not an option.

I'm trying to add iptables rules on the client(s) to change the destination ip for the packets going to 192.168.251.3 to go to 1.2.3.4 instead. DNAT isn't working since 1.2.3.4 is not an IP on any of my client interfaces.

Can anyone point me to the relevant documentation that allows me to use MANGLE to change destination IPs?

Best Answer

Never mind this question - seems I was doing something wrong. It works with DNAT:

iptables -t nat -A OUTPUT -p tcp -d 192.168.251.3 -j DNAT --to-destination 1.2.3.4

Related Solutions

Linux – Overlapping MASQUERADE and DNAT

I hope I'm understanding your question, too. Your response to Luke in the comments to baumgart's answer caused me to second-guess my understanding your requirements, but I'm going to post this anyway.

What baumgart is telling you to do in his answer will work, but his last paragraph where he talks about "...will likely cause problems with client-server apps..." isn't correct. He's forgetting that Netfilter's NAT implementation is stateful. That stateful nature of the NAT engine in Netfilter is your friend here.

When the conversation between an Internet host and one of your public IPs gets DNAT'ed to a private IP address Netfilter won't "MASQUERADE" the response packets coming from the private IP back to the Internet host. That's not to say the response packets aren't NAT'ed, but they're not "MASQUERADED". Rather, Netfilter implicity "does the right thing" and SNAT's the response packets from the private IP back to the public IP address to which the Internet host initiated the conversation. It's really very slick.

Meanwhile, for conversations originating from the private IP address to the Internet (not in response to incoming requests from the Internet) the "MASQUERADE" rule will apply.

Basically, Netfilter does what you want "out of the box". I took some time and mocked this up on a test setup just to be sure, and, so long as I understand your requirements properly, it's doing exactly what you're looking for.

(Sorry about not being able to answer earlier in the day-- I was busy with some things earlier today and couldn't, ya' know, play Server Fault as much as I like to.)

Linux – DNAT to 127.0.0.1 with iptables / Destination access control for transparent SOCKS proxy

You cannot do this trick with 127/8 network as it is treaded specially inside linux kernel. But you can create dummy network interface, assign ip address to it, bind your service to this address and do NAT.

root@vm8583:~# ip link add bogus type dummy
root@vm8583:~# sysctl net.ipv4.conf.eth0.arp_ignore=3
root@vm8583:~# ip addr add 10.0.0.1/32 bogus scope host
root@vm8583:~# ip link set bogus up
root@vm8583:~# ip link show bogus
4: bogus: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/ether 5e:8b:38:f3:46:ce brd ff:ff:ff:ff:ff:ff

Note, you may need to set net.ipv4.conf.eth0.arp_ignore=3 so your server won't answer to ARP requests for 10.0.0.1 incoming via eth0:

arp_ignore - INTEGER
    Define different modes for sending replies in response to
    received ARP requests that resolve local target IP addresses:
. . .
    3 - do not reply for local addresses configured with scope host,
    only resolutions for global and link addresses are replied
    4-7 - reserved

Best Answer

Related Solutions

Linux – Overlapping MASQUERADE and DNAT

Linux – DNAT to 127.0.0.1 with iptables / Destination access control for transparent SOCKS proxy

Related Topic