-1

I currently have these rules:

iptables -A PREROUTING -t nat -p udp -i eth0 -d 168.120.50.119 --dport 8080 -m statistic --mode random --probability 0.33 -j DNAT --to-destination 167.120.10.131:8080
iptables -A PREROUTING -t nat -p udp -i eth0 -d 168.120.50.119 --dport 8080 -m statistic --mode random --probability 0.33 -j DNAT --to-destination 167.120.10.132:8080
iptables -A PREROUTING -t nat -p udp -i eth0 -d 168.120.50.119 --dport 8080 -m statistic --mode random --probability 0.33 -j DNAT --to-destination 167.120.10.133:8080

Now I would like to know how I can handle those packages to send them to another address again.

I had tried with this:

iptables -t nat -I POSTROUTING -p udp -s  167.120.10.131 --sport 8080 -j SNAT --to 72.32.229.66:7777
iptables -t nat -I POSTROUTING -p udp -s  167.120.10.132 --sport 8080 -j SNAT --to 72.32.229.66:7777
iptables -t nat -I POSTROUTING -p udp -s  167.120.10.133 --sport 8080 -j SNAT --to 72.32.229.66:7777

Unfortunately, it did not work.

72.32.229.66 it would be the IP over which the service is running. NOTE: All the ip's are in the same dedicated, and the same network card.

How could I do it?

Marcelo Reyes
  • 3
  • 3
  • `How could I do it?` I have tried figuring out what you are trying to do with your rules a couple times, and I don't understand at all what you expect or are hoping will happen. I suspect you may need to spend more time describing what you are doing. – Zoredache Feb 28 '19 at 21:32
  • I want an IP to redirect to another IP in each UDP packet that is received. My main objective is that I want to hide some IP's after another one, previously I used a DNS but the attackers easily found the IP's. – Marcelo Reyes Feb 28 '19 at 21:44

2 Answers2

1

The canonical answer to a whole class of problems "I know iptables commands, but I can't see what is actually happening to the packets" is:

  • Look at the packets using one of the tools (order of preference):
    • wireshark where you have GUI
    • tshark (wireshark's textual interface)
    • tcpdump (predecessor of tshark, speaking very roughly)
  • Do it not only on the end-node, but also on a (DYI) router or a proxy
  • If the packets mysteriously "disappear" after a hop, without any explanation within iptables:
    • ip route on every node; verify that backward traffic goes through the same hops; the packets have no "memory", it's up to you to manually match the forward-going entries (of the routing tables) with the backwards-facing entries.
kubanczyk
  • 13,812
  • 5
  • 41
  • 55
0

First of all, your approach to the issue is "security by obscurity", which will not work. Even if you do multiple NATs with the packets, it makes no difference.

The traffic can still be sent to the original destination by sending traffic to any of the addresses.

The actual problem with your current set of rules is that you have the latter SNAT rules in the first place.

DNAT rules are bidirectional in nature. They are aware of the association between two UDP IP:port pairs, and DNAT automatically handles the reply packets from the upstream server. Adding SNAT might break it.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63