Answer the question
In order to leave comments, you need to log in
I
I
Ivan Gaidamakin2014-01-11 17:15:27
Ivan Gaidamakin, 2014-01-11 17:15:27
How to redirect outgoing traffic using iptables?
Good evening!
I'm trying to do this:
When I telnet 127.0.0.1 2110 it automatically redirects to 1.1.1.1 2106
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -A OUTPUT --src 0/0 --dst 127.0.0.1 -p tcp --dport 2110 -j DNAT --to-destination 1.1.1.1:2106
telnet 127.0.0.1 2110I tried this method, does not want to work, maybe I'm doing it wrong?
Looking forward to your reply, thanks in advance!
2 answer(s)
@MeGaPk
We check the first case (where in the rule dst 127.0.0.1). At the same time, it is muffled in the tycipidump, and there is no entry about the stream in the tracer table.
Now another option is when dst is 172.27.65.228. In tisipidump we see outgoing packets, and in the connection tracer table - a record about the flow.
E
EvilMan, 2014-01-11 @MeGaPk
In general, specifying ---dst 127.0.0.1 does not work. Probably, it is necessary to shaman something in sysctl. To work, you must specify the address that you hang on some other interface. It is difficult to immediately determine the source of such behavior, you need to dig deeper, but there is no mood for something. Maybe later somehow.
A little test that I did myself.
~$ ip -4 a ls dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
~$ ip -4 a ls dev eth0.200
4: eth0.200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
inet 172.27.65.228/16 brd 172.27.255.255 scope global eth0.200
~$ sudo iptables -t nat -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 295 packets, 17876 bytes)
pkts bytes target prot opt in out source destination
28 1660 DNAT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:65001 to:1.1.1.1:8001
2 120 DNAT tcp -- * * 0.0.0.0/0 172.27.65.228 tcp dpt:65001 to:1.1.1.1:8002We check the first case (where in the rule dst 127.0.0.1). At the same time, it is muffled in the tycipidump, and there is no entry about the stream in the tracer table.
~$ telnet 127.0.0.1 65001
~$ sudo conntrack -L --orig-dst 127.0.0.1
conntrack v1.2.1 (conntrack-tools): 0 flow entries have been shown.Now another option is when dst is 172.27.65.228. In tisipidump we see outgoing packets, and in the connection tracer table - a record about the flow.
~$ telnet 172.27.65.228 65001
~$ sudo tcpdump -ni eth0.200 'ip host 1.1.1.1'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.200, link-type EN10MB (Ethernet), capture size 65535 bytes
19:21:59.848777 IP 172.27.65.228.48735 > 1.1.1.1.8002: Flags [S], seq 3790799685, win 43690, options [mss 65495,sackOK,TS val 1388718972 ecr 0,nop,wscale 7], length 0
19:22:00.850050 IP 172.27.65.228.48735 > 1.1.1.1.8002: Flags [S], seq 3790799685, win 43690, options [mss 65495,sackOK,TS val 1388719974 ecr 0,nop,wscale 7], length 0
19:22:02.852057 IP 172.27.65.228.48735 > 1.1.1.1.8002: Flags [S], seq 3790799685, win 43690, options [mss 65495,sackOK,TS val 1388721976 ecr 0,nop,wscale 7], length 0
19:22:06.860066 IP 172.27.65.228.48735 > 1.1.1.1.8002: Flags [S], seq 3790799685, win 43690, options [mss 65495,sackOK,TS val 1388725984 ecr 0,nop,wscale 7], length 0
....
~$ sudo conntrack -L --orig-src 172.27.65.228 --orig-dst 172.27.65.228
tcp 6 117 SYN_SENT src=172.27.65.228 dst=172.27.65.228 sport=48924 dport=65001 [UNREPLIED] src=1.1.1.1 dst=172.27.65.228 sport=8002 dport=48924 mark=0 use=1
conntrack v1.2.1 (conntrack-tools): 1 flow entries have been shown.
Similar questions
A
F
D
D
L
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question