iptables nat table is not changing destination IP in PREROUTING?

Question

OK, so on a vanilla Ubuntu 14.04.2 install, i run the following commands:

sudo bash -c 'echo 1 > "/proc/sys/net/ipv4/ip_forward"'
sudo iptables -t nat -A PREROUTING -d 192.168.100.1 -j DNAT --to-destination 10.196.106.230
sudo tcpdump -i wlan0 icmp and icmp[icmptype]=icmp-echo -n

Then i ping 192.168.100.1 from another terminal. But, i see tcpdump showing me this:

01:46:37.536354 IP 10.196.100.76 > 192.168.100.1: ICMP echo request, id 6635, seq 1, length 64

However, if i flush the nat table and run this command instead:

sudo iptables -t nat -A OUTPUT -d 192.168.100.1 -j DNAT --to-destination 10.196.106.230

Then, tcpdump gives this:

01:46:53.168639 IP 10.196.100.76 > 10.196.106.230: ICMP echo request, id 6638, seq 1, length 64

(The ping is successful, with a pong coming back from the other machine.)

From the numerous tutorials online, i'd expect the destination IP to be changed even in the PREROUTING chain, right? Or am i missing something?

score 2 · Accepted Answer · answered Nov 11 '15 at 22:25

The PREROUTING chain is not evaluated on packets generated by local processes.

Your first rule will work on packet entering from a network interface (try to ping from a different computer).

Maybe this picture can clarify how the flow of packets is examined:

source: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-IPTables.html

iptables nat table is not changing destination IP in PREROUTING?

1 Answers1