0

I have TCP traffic from 192.168.3.51 going to 192.168.3.10 but instead I would like to have it sent to 192.168.3.50 Is there a way to set this up in iptables such that only tcp traffic coming from A and going to B is instead sent to C? Thank you.

Da Hai Zhu
  • 1
  • Is [DNAT](http://linux-ip.net/html/nat-dnat.html) not a solution? If not, please update your question to mention you tried/considered DNAT, but need some other functionality or result. – iwaseatenbyagrue Apr 06 '17 at 16:50
  • I does not appear that DNAT allows me to specify the Source **and** Destination requirement of the data before redirecting it to a new destination. I need to be able to redirect only the data "coming from A and going to B" to be sent to C. – Da Hai Zhu Apr 07 '17 at 01:58

2 Answers2

0

As far as I know you can't set up routing behavior in a firewall such as iptables. But instead you can route the general traffic through B to C.

mushr00mer1990
  • 351
  • 4
  • 14
  • I have two IP addresses on the device and I want to make sure only traffic coming from the 2nd IP Address that's to go to B is instead sent to C – Da Hai Zhu Apr 06 '17 at 06:03
  • Could you give me more information about your topology, please? – mushr00mer1990 Apr 06 '17 at 06:07
  • you can "route" with iptables, see f.e. (first google result) https://www.systutorials.com/1372/setting-up-gateway-using-iptables-and-route-on-linux/ – Dennis Nolte Apr 06 '17 at 07:28
  • Basically, I'm trying to run OpenVPN Server and Tor router on the same box such that VPN output to the internet (not the response black to the client) is sent through Tor. I've tried virtual interfaces and real interfaces, but I can't get VPN interface to route to Tor Interface on the same box. P.S. Piece of Cake with two boxes... – Da Hai Zhu Apr 06 '17 at 10:53
0

By the sound of it, DNAT would in fact work - your assumption that DNAT doesn't accept a source IP is incorrect.

The following would be a generic example of the rule you might need:

sudo iptables -t nat -A PREROUTING -s 1.1.1.1 -m tcp -p tcp --dport 8080 -d 2.2.2.2 -j DNAT --to-destination 3.3.3.3

This will mean that 1.1.1.1 will see the content from 3.3.3.3:8080 when it tries to connect to 2.2.2.2:8080 - so isn't a redirect in the 'real' sense (e.g. an ICMP redirect), but sounds like it would achieve what you are trying to achieve.

iwaseatenbyagrue
  • 3,688
  • 15
  • 24
  • I'll give it a try, but I'm confused. It looks like the above command says: route traffic from 1.1.1.1 that's going to 2.2.2.2, over to 3.3.3.3 – Da Hai Zhu Apr 10 '17 at 03:07
  • Can't seem to get it to work. 192.168.3.51 gateway is 192.168.3.3. I want to redirect it to 192.168.3.50. So, on 192.168.3.51, I tried: "sudo iptables -t nat -A PREROUTING -s 192.168.3.50 -m tcp -p tcp -d 192.168.3.3 -j DNAT --to-destination 192.168.3.51" and "sudo iptables -t nat -A PREROUTING -s 192.168.3.51 -m tcp -p tcp -d 192.168.3.3 -j DNAT --to-destination 192.168.3.50" - made no difference. I don't think either changed anything. What'd I miss? – Da Hai Zhu Apr 10 '17 at 07:44