1

I constructed a private net with two machine, both of them have two network interfaces this is the networking information:

machine1:

eth0 10.0.0.11 (private net)
eth1 10.82.80.208 (Campus Network ip)

machine2:

eth0 10.0.0.21 (private net)
eth2 10.82.80.207 (Campus Network ip)

I want to access 10.0.0.11 in my machine (10.82.80.206) in the campus network instead of using campus net IP address by iptables dnat. For example, I want to change the destination of packet from 10.0.0.11 to 10.82.80.208.

I'm trying to use iptables command such as:

iptables -t nat -A PREROUTING -i eth0 -p tcp  -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208
iptables -t nat -A PREROUTING -i eth0 -p icmp -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208
iptables -t nat -A PREROUTING -i eth0 -p udp  -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208

But it seems useless when I'm trying to ping 10.0.0.11, the host still unreachable, how could I change the destination of pockets in my machine from a 10.0.0.11 to 10.82.80.208?

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
user260787
  • 11
  • 1

1 Answers1

2

First mistake you are making is using PREROUTING chain for manipulating locally generated packets. Packets that are generated on your own machine never traverse PREROUTING, but only traverse OUTPUT and POSTROUTING chains. You should do a NAT for locally generated packets in OUTPUT chain, so your rules would look like:

iptables -t nat -A OUTPUT -i eth0 -p tcp  -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208
iptables -t nat -A OUTPUT -i eth0 -p icmp -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208
iptables -t nat -A OUTPUT -i eth0 -p udp  -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208

You should use PREROUTING only if your machine (10.82.80.206) is acting as a gateway to 10.0.0.11/21 for other machines on the campus network.

Jakov Sosic
  • 5,267
  • 4
  • 24
  • 35