Home > iptables > How to change dst ip after routing

How to change dst ip after routing

March 24Hits:1
Advertisement

How to change destination IP address after routing decision was made, i.e. in POSTROUTING chain of iptables?

Answers

e... as the name suggests - it is a bit too late to do it in the POSTROUTING table.

How to change dst ip after routing

and this are quite helpful to see what/when happens. if you really have to dst address rewrite - maybe put another machine in the line [ virtual ? ] or even better - rethink why would you want to do that.

If you really want to change the destination in POSTROUTING, perhaps you can try abusing the NETMAP target? I'm not sure if it works, but try something like:

iptables -t nat -A POSTROUTING -d 1.2.2.2/32 -j NETMAP --to=1.3.3.3/32

I don't think there's a good answer for this. I don't think iptables lets you change the destination IP address after routing. What I want to do is:

iptables -t nat -A POSTROUTING -o eth0 -p udp -d 10.0.0.0/8 --dport 53 -m comment --comment "Redirect DNS when VPN is down" -j DNAT --to-destination 8.8.8.8

But that isn't legal. I want to change the destination address based on the output interface, which isn't known until after routing.

If you could change the destination IP address, it would be too late to change the routing (which would be fine for my example use). You only get to route packets once.

The only solution I'm aware of would be to have a virtual machine that sits between eth0 and the real network which could then do DNAT.

For my purposes, I can dynamically add or remove a prerouting rule when the VPN interface goes down or comes up, but it feels like a clumsy solution.

Related Articles

  • How to change dst ip after routing

    How to change dst ip after routingMarch 24

    How to change destination IP address after routing decision was made, i.e. in POSTROUTING chain of iptables? --------------Solutions------------- e... as the name suggests - it is a bit too late to do it in the POSTROUTING table. and this are quite h

  • INPUT or PREROUTING, which is first checked?November 10

    About iptables. I saw contradictory explanations. This site and most article say PREROUTING chain is checked before INPUT chain. But another tutorial(page 4-6) says INPUT is before PREROUTING. Whom to trust? --------------Solutions------------- The o

  • Is there a tool like 'route' in Linux to configure the forwarding entry (dst mac address -- interface)July 25

    I have a problem in configuring the forwarding table in Linux. We call IP tables for routing table in layer 3, MAC tables for forwarding table in layer 2. Now I want to add an entry in forwarding table. I know the tool route command can be used to ad

  • ssh into Cisco router not workingSeptember 15

    On a 2800 series router, I used to be able to ssh in via two public interfaces, but now I can't seem to. One of these two public interfaces has an ACL, the other currently doesn't. When I ssh to the one with the ACL, I do see the counter go up on the

  • How can I reroute IP addresses for my router?April 1

    I want to do something similar to what the hosts file does. I just want to set it so that certain IP's always go to the IP I want it to go to... eg. Have... 158.204.281.222 always go to 160.201.21.239 just as a random example... is this possible? Tha

  • Routing from the DMZ to the interior network only

    Routing from the DMZ to the interior network onlyMay 11

    I have a home network connected to Verizon's FIOS service. Verizon's ActionTec router is connected to the ONT via coax to establish the MOCA network. My DD-WRT router's WAN port is connected to one of the ActionTec's LAN ports. The DD-WRT router is c

  • Linux port-based routing using iptables/ip routeMay 21

    I have the following setup: 192.168.0.4 192.168.0.6 192.168.0.1 +-----------+ +---------+ +----------+ |WORKSTATION|------| LINUX |------| GATEWAY | +-----------+ +---------+ +----------+ 192.168.150.10 | 192.168.150.9 +---------+ | VPN | +---------+

  • Openvpn, FreeBSD, Linux and routingAugust 13

    There is a network in the office. There are a router powered by FreeBSD in the network and a server powered by CentOS outside. Task: provide an access from anywhere to the network in the office. Data: network - 192.168.0.0 behind FreeBSD with bge0(19

  • dd-wrt router firmware QoS troubleshootingOctober 3

    I've been using the dd-wrt firmware on my router and I like it a lot! But -- I'm not sure the quality of service (QoS) is working on it. I have it set up as follows: http, port 80 -- Premium bittorrent, port 6969 -- Bulk https, port 443 -- Premium dn

  • Linux port based routing : reponse packets discardedNovember 7

    I would like to use port-based routing on my Linux local gateway. Here is my network diagram : 192.168.42.148/24 192.168.42.1/24 192.168.44.2 192.168.44.1 +--------------------+ +----------------------------+ +----------+ | Workstation (eth0)-|------

  • Router has traffic coming in, but it's not going anywhere. What can I do?

    Router has traffic coming in, but it's not going anywhere. What can I do?March 11

    Ok so I have a Linksys WRT-54G v4 running the latest version of DD-WRT (just downloaded it last week to try to fix the problem) There is consistently about 750kbs coming into the router but from what I can tell, it's not going anywhere inside the LAN

  • Configure router/gateway on Ubuntu issue: unable to reach hosts behind ISPs gateway (network map provided)

    Configure router/gateway on Ubuntu issue: unable to reach hosts behind ISPs gateway (network map provided)May 26

    I try to configure my notebook running Ubuntu 11.04 (desktop edition) as a gateway (may be router needed? --- this is the bit of confusion for me), so that I can share Internet connection (incoming on eth0) via my WiFi card (wlan1). The issue is that

  • Issue routing openswan vpn traffic beyond the serverJune 15

    Trying to set up a openswan based server sitting in an Amazon VPC cluster. The goal is to make it so we can VPN into VPC and have our workstations be as if they were on the network, more of a roadwarrior configuration. Our VPN client of choice is Equ

  • Mikrotik route syntax to create a new routing tableJuly 5

    I want to replace my linux gateway box to Mikrotik. But I never found how to write this linux's iproute2 command in mikrotik's way: ip route add default via 10.1.1.1 table browser ip route add 10.1.2.0/24 via 10.1.1.2 table browser ip rule add prio 1

  • Why does my router log crazy amounts of blocked traffic on port 1701?November 23

    I have a 2701HGV-B 2Wire modem and router (AT&T). The log is basically full with entries similar to the following with a time between a fifth and a third of a second between entries: src=86.156.7.170 dst=xxx.xxx.xxx.38 ipprot=17 sport=6882 dport=1701

  • How to log all site domains accessed through a tomato router?February 6

    I would like to monitor all traffic in my home network, and I believe that there is not much disk space in my router to record all that pass through. I could be happy enough if I could log only the HTTP domains accessed, or if I could save it externa

  • What transport protocols can be routed properly over the Internet, other than TCP and UDP?March 6

    I recently noticed that my ISP doesn't like routing native SCTP traffic over the Internet, unless it's tunnelled through UDP. A bit of a pain, but I solved the issue by using tunelling. This issue got me thinking - other than TCP and UDP, which trans

  • DNS Servers being block by my router despite being allowed in the firewallMarch 15

    I see entries like this in my router logs: src=8.8.8.8 dst=108.x.y.z ipprot=17 sport=53 dport=54789 Unknown inbound session stopped 8.8.8.8 is a DNS server. A few questions regarding this: Why is the DNS server trying to contact me? Do I need to be c

  • Traffic from inside my network going to non-existent IP address inside my network, captured by router logsMarch 15

    I have a setup with RouterB sitting behind RouterA. RouterA sets RouterB's IP address to a public static IP 108.x.y.z, which it has been given in a block of addresses by the ISP. In RouterA's logs, I see this: src=108.x.y.z dst=192.168.0.28 ipprot=17

  • Squid cache + direct routingMarch 25

    again here to ask for your help... This time i need to setup a cluster of 2 squid caching proxies to speedup some apache servers. The good thing is that there is no NAT involed so only direct routing. Right now I'm able to divert the traffic for spec

Copyright (C) 2018 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.350 s.