21

Is it possible to change the destination port of a UDP packet using iptables?

I'm trying to get an SNMP agent to send out traps on 1620 instead of 162. Unfortunately so far I've only managed to change the source port:

iptables -t nat -A POSTROUTING -p udp --dport 162 -j SNAT --to :1620

Kristof Provost
  • 26,018
  • 2
  • 26
  • 28

6 Answers6

8

Assuming you know which machine you are sending to:

iptables -t nat -A OUTPUT -p udp --dport 162 -j DNAT --to-destination <dest-ip>:1620
PiedPiper
  • 5,735
  • 1
  • 30
  • 40
7

you could redirect 162 to 1620

iptables -t nat -A PREROUTING -p UDP --dport 162 -j REDIRECT --to-port 1620
rollstuhlfahrer
  • 3,988
  • 9
  • 25
  • 38
5

This usage is apparently not supported. Taken from http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt:

6.3.7. Altering the Destination of Locally-Generated Connections

The NAT code allows you to insert DNAT rules in the OUTPUT chain, but
this is not fully supported in 2.4 (it can be, but it requires a new
configuration option, some testing, and a fair bit of coding, so unless someone contracts Rusty to write it, I wouldn't expect it soon).

The current limitation is that you can only change the destination to
the local machine (e.g. `j DNAT --to 127.0.0.1'), not to any other machine, otherwise the replies won't be translated correctly.

Adam Liss
  • 47,594
  • 12
  • 108
  • 150
2

@PiedPiper was right. With DNAT you must specify an ip address, but we only want to do port redirection, so -j REDIRECT may work in this case.

See http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2

azkotoki
  • 2,357
  • 2
  • 22
  • 26
  • If I read that right redirect will send the packet to port 1620 on the local machine. I want it to go to the destination listed in the packet, but on port 1620 instead of 162. – Kristof Provost Oct 28 '08 at 11:42
1

Instead of making SNAT, try with DNAT. The source port gets changed because SNAT means SourceNAT, so DNAT will work for you.

azkotoki
  • 2,357
  • 2
  • 22
  • 26
  • to get DNAT to work you would need to specify an ip-address as --to-destination – PiedPiper Oct 28 '08 at 11:06
  • That wouldn't be much of a problem in this case, but a DNAT rule doesn't seem to work either. The rule isn't hit and the packets sent out are not modified. – Kristof Provost Oct 28 '08 at 11:11
  • You cannot use DNAT on a POSTROUTING chain. http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET – borodimer Oct 28 '08 at 17:11
  • Thanks for the advice @borodimer. The rule must be placed in PREROUTING if the packets come from the outside, and in OUTPUT if they are generated locally. – azkotoki Oct 28 '08 at 21:39
0

You could set up a divert rule and then re-inject the packet with the modified port.

I've done this a while back on Mac OS X but it's the same principle on Linux: http://blog.dv8.ro/2006/08/using-divert-sockets-on-mac-os-x.html

You basically need to create a very simple transparent proxy.

diciu
  • 29,133
  • 4
  • 51
  • 68