How to change the target IP address using IPTables
I have a special situation where I need to change (mangle?) the target (destination) IP address for connections originating on an Ubuntu 11 host.
The idea is that if I browse, ssh, or ping, say 1.1.1.1, I really want it to go to 2.2.2.2. On the hose itself I have just one rule: iptables -t nat -A OUTPUT -d 1.1.1.1 -j DNAT --to 2.2.2.2 However, this does not work. I know I've done something like this before and it wasn't that hard. But this time I just can't get it to work nor can I find the answers. Thanks for your help! |
|
My bad, I meant to say I entered:
iptables -t nat -A PREROUTING -d 1.1.1.1 -j DNAT --to 2.2.2.2 I tried lots of other stuff and pasted in the wrong thing previously. |
Can you explain the network in a bit more detail?
Which machine are you putting the rule on? are there other rules getting in the way? ie: you probably need a rule in forward to accept the traffic. Does the either of the machines have other rules preventing it from working? Is there a router or something in between the two causing problems? Whats in the logs? Perhaps try being more specific with the rule ie: -t nat -A PREROUTING -i $inIF -o $outIF -p tcp -m multiport --dports 22,80,etc -j DNAT --to-destination 2.2.2.2 |
Thanks for your input fukawi1.
This is on a laptop running Ubuntu 11, not a server. It is not acting as a router. There are no other rules. It couldn't be simpler. I realize reading the man pages and such that this seems to be for a routing (net.ipv4.conf.all.forwarding = 1), but I want iptables on this host to mangle its own destination IP from 1.1.1.1 to 2.2.2.2. The situation is something like this, but not quite. Say you have a website at 2.2.2.2, but there are links in the html that, instead of providing a relative reference, specify the IP address incorrectly as 1.1.1.1. Well, the links won't work because the IP is wrong. But if I fake my developers laptop out to go to 2.2.2.2 whenever 1.1.1.1 is specified then it will work. This isn't the real scenario, but gives you the idea. The thing is, I did this years ago for another situation. It may be that they way iptables works has changed since then. Or maybe I actually did it on a server acting as a linux router. But it seems like this should be able to be done on a host. ---------- Post added 10-04-11 at 11:57 AM ---------- Oh, and I tried specifying protocol, etc. It still didn't work. Thanks. |
Well im out, i cant visualise the scenario clearly, and im the type that needs to be able to do draw a mental image of whats happening.
I havent done much with iptables on a host of its own, only on a router. Sorry pal. |
Thanks for trying.
|
All times are GMT -5. The time now is 07:15 AM. |