0

My host has two network interfaces:

eth0:172.16.125.5
eth1:172.165.8.55

I want to redirect all UDP traffic to eth1 port 1234 to eth0 port 1234, ie:

172.165.8.55:1234 -> 172.16.125.5:1234

After reading reading related posts here, I enable ipv4_forwarding, and then added the following rules to iptables:

iptables -t nat -A PREROUTING -p udp -d 172.165.8.55 --dport 1234 \
                         -j DNAT --to-destination 172.16.125.5:1234
iptables -A FORWARD -p udp -d 172.16.125.5 --dport 1234 -m state \
                         --state NEW,ESTABLISHED,RELATED -j ACCEPT

When I send UDP traffic to 172.165.8.55:1234, output of iptables -t nat -L -n -v does show the packet counts of the rule in PREROUTING chain going up. So I think that rule is working.

However output of iptables -L -n -v shows that packet counts of the rule in FORWARD chain remains zero. So I don't think that rule is working. Also output tcpdump shows the incoming UDP traffic going to 172.165.8.55:1234 and does not show it being forwarded anywhere.

I then check the route table:

ip route show
172.16.125.0/24 dev eth0  proto kernel  scope link  src 172.16.125.5
172.165.8.0/24 dev eth1  proto kernel  scope link  src 172.165.8.55
default via 172.16.125.1 dev eth0

I don't see any route between the two subnets of eth0 and eth1. Is that why the redirecting isn't working? If so what changes do I need to make to the route table?

How about bridging the two network interface? Will that help? If so how do I do that?

EDITED FOR ADDITIONAL INFO: I did some tests with nc as suggested. I am dealing with UDP so I used nc -u:

$ nc -u 172.165.8.55 1234

this is a test

nc: Write error: No route to host

The two windows which I have nc -ul running did not show anything. I did have another window open running tcpdump and it has the following output:

01:45:12.327911 IP 172.165.8.77.42726 > 172.165.8.55.1553: UDP, length 15 E..+7.@.@.mT.. M.. 7........this is a test ...

ADDITIONAL INFO: I think I know whey I am getting "No route to host" from nc:

$ nc -u 172.165.8.55 1234 this is a test nc: Write error: No route to host

My rule in the PREROUTING chain is working and the destination IP is being changed. However, my rule in the FORWARD chain is not working because my host does not know how to route to the new destination IP 172.16.125.5 when the source IP is not in the subnet 172.16.125.5.x. I do not get the "No route to host" error if I remove both rules from iptables.

How do I add a route from all traffic from 172.165.8.x subnet to 172.16.125.x subnet?

BillA
  • 1
  • 2
  • Can you please provide a diagram showing all used machines, their connections and the addresses at the interfaces. Where did you run `nc` and where `tcpdump`. Besides: the output of `tcpdump` doesn't match the call of `nc`, there are different ports. – Mathias Weidner Mar 14 '21 at 09:50
  • cut and paste error on output of tcpdump. port should be 1234 01:45:12.327911 IP 172.165.8.77.42726 > 172.165.8.55.1234: UDP, length 15 E..+7.@.@.mT.. M.. 7........this is a test ... – BillA Mar 14 '21 at 15:58
  • Can you please provide complete information as requested. With partial information it is difficult to provide a meaningful answer. – Mathias Weidner Mar 14 '21 at 16:22
  • I ran "nc -u 172.165.8.55 1234" on host with IP 172.165.8.77. on host with IP 172.165.8.55 I had three windows open. One window running "nc -ul 172.165.8.55 1234. Another windown running "nc -ul 172.16.125.5 1234". The third window running tcpdump. – BillA Mar 15 '21 at 00:37

1 Answers1

0

There is no packet forwarding involved because both addresses are on the same host. You would only need address translation, if there is a process that is listening only on 172.16.125.5:1234 and not at 172.165.8.55:1234.

The iptables chains INPUT, OUTPUT and FORWARD are used like this:

INPUT is for traffic that arrives at a network interface and is directed to a process running on this host.

FORWARD is for traffic that arrives at a network interface and leaves at the same or another interface.

OUTPUT is for traffic that is generated at the host and leaves at any network interface.

Since you only change the destination address from one address of this host to another, this traffic doesn't leave the host and is only inspected in the INPUT chain.

Edit: Ignoring that you won't tell why you want to NAT traffic, that is intended for your machine and already arrived at your machine, let's consider how you can see if the traffic for 172.165.8.55:1234 is indeed going to 172.16.125.5:1234.

Open two terminal sessions on your machine and start the following

nc -l 172.165.8.55 1234

In the second session you start

nc -l 172.16.125.5 1234

After that you take any computer that knows how to send packets directed at address 172.165.8.55 to your machine and start the following:

nc 172.165.8.55 1234

Type in some words and observe in which of the above two terminal sessions these words appear.

Mathias Weidner
  • 417
  • 3
  • 10
  • So what rule do I add to the INPUT chain in order to change the destination address? – BillA Mar 12 '21 at 19:40
  • DNAT is done in the PREROUTING chain and you already have a rule in that chain. But why do you want NAT in the first place. – Mathias Weidner Mar 13 '21 at 17:53
  • Yes I already have a rule in the PREROUTING chain in the nat table. And the packet counts for the rule do go up when I send traffic to 172.165.8.55:1234. But I am net seeing any traffic going to 172.16.125.5:1234. What am I missing. – BillA Mar 13 '21 at 21:32
  • The bottom line is I want to see traffic going to 172.165.8.55:1234 redirect/forward to 172.16.125.5:1234. – BillA Mar 13 '21 at 21:33
  • 172.165.8.55:1234 -> 172.16.125.5:1234 – BillA Mar 13 '21 at 21:33
  • It does not matter to be how it is done as long as it gets done. If it can be done without NAT that is good for me to. – BillA Mar 13 '21 at 21:34
  • having trouble with newline in comment so I updated the original post with results of nc and tcpdump. – BillA Mar 14 '21 at 02:29