ansaurus

Question

Using iptables to change a destination port

Answer 1

+1 A:

Instead of making SNAT, try with DNAT. The source port gets changed because SNAT means SourceNAT, so DNAT will work for you.

azkotoki 2008-10-28 11:04:05

to get DNAT to work you would need to specify an ip-address as --to-destination

PiedPiper 2008-10-28 11:06:26

That wouldn't be much of a problem in this case, but a DNAT rule doesn't seem to work either. The rule isn't hit and the packets sent out are not modified.

Kristof Provost 2008-10-28 11:11:45

You cannot use DNAT on a POSTROUTING chain. http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET

borodimer 2008-10-28 17:11:38

Thanks for the advice @borodimer. The rule must be placed in PREROUTING if the packets come from the outside, and in OUTPUT if they are generated locally.

azkotoki 2008-10-28 21:39:36

Answer 2

A:

@PiedPiper was right. With DNAT you must specify an ip address, but we only want to do port redirection, so -j REDIRECT may work in this case.

See http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2

azkotoki 2008-10-28 11:38:10

If I read that right redirect will send the packet to port 1620 on the local machine. I want it to go to the destination listed in the packet, but on port 1620 instead of 162.

Kristof Provost 2008-10-28 11:42:47

Yes, I didn't read that on the first time. Sorry.

azkotoki 2008-10-28 11:52:23

Answer 3

A:

Assuming you know which machine you are sending to:

iptables -t nat -A OUTPUT -p udp --dport 162 -j DNAT --to-destination <dest-ip>:1620

PiedPiper 2008-10-28 12:35:20

This causes my iptables to complain: "iptables: Invalid argument"

Kristof Provost 2008-10-28 13:41:05

It works for me. You are replacing <dest-ip> with a real ip address?

PiedPiper 2008-10-28 17:09:12

borodimer 2008-10-28 17:18:02

I have kernel 2.6.10 and iptables v1.3.3

Kristof Provost 2008-10-29 11:50:27

I have kernel 2.6.26 and iptables 1.4.1 but it should work with older versions.

PiedPiper 2008-10-29 12:32:07

Answer 4

A:

You could set up a divert rule and then re-inject the packet with the modified port.

I've done this a while back on Mac OS X but it's the same principle on Linux: http://blog.dv8.ro/2006/08/using-divert-sockets-on-mac-os-x.html

You basically need to create a very simple transparent proxy.

diciu 2008-10-28 12:39:46

Answer 5

+1 A:

This usage is apparently not supported. Taken from http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt:

6.3.7. Altering the Destination of Locally-Generated Connections

The NAT code allows you to insert DNAT rules in the OUTPUT chain, but
this is not fully supported in 2.4 (it can be, but it requires a new
configuration option, some testing, and a fair bit of coding, so unless someone contracts Rusty to write it, I wouldn't expect it soon).

The current limitation is that you can only change the destination to
the local machine (e.g. `j DNAT --to 127.0.0.1'), not to any other machine, otherwise the replies won't be translated correctly.

Adam Liss 2008-10-31 05:57:44

Doesn't that redirect to port 1620 on the local machine? This seems to be the same recommendation as askotoki gave.

Kristof Provost 2008-10-31 11:58:42

You're right ... I dug a bit deeper and found the above info.

Adam Liss 2008-10-31 14:32:04

Answer 6

A:

you could redirect 162 to 1620

iptables -t nat -A PREROUTING -p UDP --dport 162 -j REDIRECT --to-port 1620

2008-11-13 08:54:54

ansaurus

tags:

views:

answers:

Using iptables to change a destination port

related questions