| View previous topic :: View next topic |
| Author |
Message |
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
 Posted: Mon Oct 03, 2011 7:49 pm Post subject: iptables redirect/forward help |
 |
|
UDP packets from 192.168.10.5 using port 5001 are currently destined to 192.168.10.10.
I want iptables on 192.168.10.6 to redirect/forward UDP packets that it "sees" from 192.168.10.5 to itself. 192.168.10.6 should redirect these to itself so that I can get the packets into my application on 192.168.10.6. Currently, 192.168.10.6 will drop these packets because they are originally destined for 192.168.10.10.
I thought thats what I was doing here, but doesn't work.
| Code: |
$ iptables -t nat -A PREROUTING -i br0 -d 192.168.10.5 -p udp --dport 5001 -j DNAT --to-destination 192.168.10.6
|
Last edited by Wizumwalt on Fri Oct 07, 2011 4:46 pm; edited 1 time in total |
|
| Back to top |
|
 |
gentoo_ram
Guru
Joined: 25 Oct 2007
Posts: 513
Location: San Diego, California USA
|
| Posted: Tue Oct 04, 2011 3:29 pm Post subject: |
|
|
There are several reasons why this can't be done as stated.
The most important of which is that if the "hub" in question is an ethernet switch then the packets in question will not even physically make it to computer C. Any network using 100mpbs or 1000mbps ethernet is probably a switch. The switch looks at the ethernet address of the destination of the packets and only sends the packet down the appropriate port.
Even if the packets make it onto the segment with computer C, then computer C is going to filter them out the ethernet driver level because the destination ethernet address in the packet won't match that of computer C. You'd have to put the ethernet card in computer C into "promiscuous" mode to even have a chance for the IP stack to examine the packets.
And then even after that, the low-level of the IP stack is going to ignore the packets because the IP address doesn't match the one on computer C. I don't think IPtables will even have a chance to look at it.
Your only hope is having a firewall/router (be it a dedicated firewall box or a Linux box) sitting between A and B that can edit and/or duplicate the packets.
Can you modify the network configuration on box A to duplicate the packets before sending them? |
|
| Back to top |
|
|
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
| Posted: Tue Oct 04, 2011 4:09 pm Post subject: |
|
|
Just the clarify, the hub really is a hub, not a switch. Actually, it's my virtual bridge br0 on my local box I'm testing with.
I've not used raw sockets before, but don't they run as super user and shouldn't I be able to get the entire frame no matter what the src and dest ip is?
| gentoo_ram wrote: | And then even after that, the low-level of the IP stack is going to ignore the packets because the IP address doesn't match the one on computer C. I don't think IPtables will even have a chance to look at it.
|
Would anyone know the answer to this? Does iptables really not see it yet? Because if it did, I'd think iptables would work here. |
|
| Back to top |
|
|
|
Networking & Security
