LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-19-2017, 12:50 PM   #1
plittle
LQ Newbie
 
Registered: Sep 2017
Posts: 4

Rep: Reputation: Disabled
Trouble with iptables DNAT rules for locally-originated TCP packets


I've got a CentOS 6.6 server (upgrading to CentOS 7 not currently an option) with an application running on it that is attempting to make outbound TCP connections to another server in the network. For test purposes, I want to redirect that traffic to a third server, but without changing the settings in the application (doing so would also change the contents of the message in troublesome ways). I've been trying to do this via iptables rules - the rule that I've been trying to use is:

iptables -t nat -A OUTPUT -p tcp -d <original destination address> -j DNAT --to-destination <new destination address>

Unfortunately, this rule isn't working - TCP packets are being sent to the original destination address, bypassing the new address entirely. Some things I've checked:

-Before adding my rule, all the iptables chains are empty, both in the nat and filter tables. Default policy is ACCEPT.
-I've got IP forwarding enabled (sysctl -w net.ipv4.ip_forward=1 - I didn't edit /etc/sysctl.conf because this is a temporary setup and I don't want the change to persist over a reboot).
-Changing to a destination port rather than destination address, or specifying both address and port, doesn't help
-I tried adding the following rules, which didn't help:
iptables -A FORWARD -p tcp -d 10.249.18.1 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
-If I remove the -p tcp option, then ICMP pings get redirected appropriately - but TCP and UDP packets continue not to get redirected.

Does anyone have any suggestions (or is there more information needed)? Thanks!
 
Old 09-19-2017, 03:54 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
OK if this firewall is setup on the CentOS server that the application is running on then there is no need for FORWARD. FORWARD is only used when a packet comes in eth0 and leaves on eth1 for example.

Does this server have more than one interface? If so then you need to do a little more work. Either way you want to use PREROUITING to modify the packet destination address.
Code:
iptables -t nat -A PREROUTING -p tcp -d x.x.x.x -j DNAT --to-destination x.x.x.x
 
1 members found this post helpful.
Old 09-20-2017, 05:45 AM   #3
plittle
LQ Newbie
 
Registered: Sep 2017
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks for the reply! The server does indeed have more than one interface (there are four of them not counting lo, split between two different network namespaces); the traffic I need to modify will always be going out the same interface. Could you let me know what I need to do to account for the multiple interfaces?
 
Old 09-20-2017, 02:28 PM   #4
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
OK, are you routing any traffic through this box? I.e., something coming in on one interface that just traverses the box to go out another?

Code:
Example:
[user]<-->{eth0}[server]{eth1}<-->[user/other device]
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Code:
Not this:
[user]<-->{eth0}[server]{eth1}<-->[user/other device]
   >>>>>>>>>>>>>>>>  <<<<<<<<<<<<<<<<<<<<<
 
Old 09-21-2017, 05:19 AM   #5
plittle
LQ Newbie
 
Registered: Sep 2017
Posts: 4

Original Poster
Rep: Reputation: Disabled
No - all traffic arriving at the server is terminated there.
 
Old 09-21-2017, 08:28 AM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
OK to account for multiple interfaces you would need to add the interface to the firewall rule to ensure it is just applied to that interface.

Example:
Code:
iptables -A OUTPUT -j MASQUERADE
to
Code:
iptables -A OUTPUT -o eth0 -j MASQUERADE
 
Old 09-25-2017, 06:14 AM   #7
plittle
LQ Newbie
 
Registered: Sep 2017
Posts: 4

Original Poster
Rep: Reputation: Disabled
Unfortunately, still no luck:
-I can't use the -o flag in the PREROUTING table.
-I've tried adding a rule of that type to the OUTPUT table, but it hasn't changed anything
-I've also added the MASQUERADE rule to POSTROUTING, but still no change.
 
Old 09-25-2017, 01:34 PM   #8
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Can you post the output of the following:

Code:
ip addr
route -n
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Iptables: how to redirect locally-generated packets to a remote server? briwood Linux - Networking 28 02-16-2016 10:35 PM
iptables DNAT rules error? shams Linux - Networking 1 12-30-2012 01:06 PM
Interesting distribution of packets over my iptables rules joeldavis Linux - Networking 1 03-13-2011 09:35 PM
[SOLVED] IPTABLES DNAT for packets originated within the "firewall" matiasar Linux - Networking 1 09-01-2010 09:03 AM
iptables bad tcp cksum for DNAT OUTPUT sseeley Linux - Networking 1 08-20-2010 10:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration