IPTABLES bounce outbound IP back to localhost

clunk · 10-04-2009, 12:42 PM

Hi - this is my first post here so be gentle with me :-)

I was asked if it was possible to use IPTABLES to bounce an outbound request, let's say for google: 74.125.67.100, to a different local IP, say 192.168.1.1?

In the past I've been able to use 'redirect' on a multi-nic box to force all port 80 traffic to Squid on 8080, but this was indiscriminate. All port 80 traffic was sent through.

A quick look around has suggested DNAT to me, so I've tried:

iptables -t nat -A PREROUTING -p tcp -d 74.125.67.100 --dport 80 -j DNAT --to-destination 192.168.1.1:80

When this did not work I've added:
iptables -t nat -A POSTROUTING -j MASQUERADE

And ... sysctl net.ipv4.ip_forward = 0 so...
echo 1 > /proc/sys/net/ipv4/ip_forward

But no matter what, my humble little box always takes me to google when I call http://74.125.67.100 (or curl 74.125.67.100).

I'm stumped. I'm not even entirely sure I can do this with IPTables on a single nic box when the request is coming from that box.

Am I missing something painfully obvious (like wrong chain, or 'can't do that because..)

Thanks to anyone who gets the time to respond.

Berhanie · 10-04-2009, 01:26 PM

To alter the destination of packets originating from the local machine, you need to put the rule in the OUTPUT chain:

Code:

iptables -t nat -A OUTPUT -p tcp -d 74.125.67.100 --dport 80 -j DNAT --to-destination 192.168.1.1:80

You can also use a REDIRECT target on the OUTPUT chain.

clunk · 10-05-2009, 02:19 AM

Thanks! I had a feeling about the output chain. That's just what the doctor ordered and works perfectly! Thank you so much.