1

I have a program send UDP packets to 192.168.0.2:12345, receive packets at port 54321, and it uses 192.168.0.1 IP address. I want it send packets to 10.10.10.10 with same port, because this program and remote server only accept 12345 & 54321. This is topo: enter image description here

At first, I use iptables prerouting:

iptables -t nat -A PREROUTING -s 192.168.0.1 -p udp --dport 12345 -j DNAT --to 10.10.10.10:12345

But it does not work, I used LOG, find the nat never happened(192.168.0.1 & 192.168.0.2 does not need routing?):

iptables -t nat -A PREROUTING -s 192.168.0.1 -p udp --dport 12345 -j LOG

Then I find these packets can find in the INPUT chain:

iptables -A INPUT -s 192.168.0.1 -p udp --dport 12345 -j LOG

Is there any way to use DNAT if only I can see these packets in the INPUT?

BTW, I can use socat to redirect these packets, but can not lock ports on 12345 & 54321 on the server side:

socat UDP4-RECVFROM:192.168.0.1,fork UDP4-SENDTO:10.10.10.10:12345
socat UDP4-RECVFROM:10.10.10.10,fork UDP4-SENDTO:192.168.0.1:54321

Some updates from my side, I can use phydev to nat packets now:

iptables -t nat -A PREROUTING -m physdev --physdev-in tap0 -s 192.168.0.1 -p udp --dport 12345 -j DNAT --to 10.10.10.10:12345

From tcpdump of eth0, I can see packets from 192.168.0.1 to 10.10.10.10: (192.168.0.1 can not use in my network)

tcpdump -n -i eth0 host 10.10.10.10 
12:36:22.250548 IP 192.168.0.1.54321 > 10.10.10.10.12345: UDP, length 16

However, I can not see these packets from 10.10.10.10 server... Then I run tcpdump on the remote server, I can see these packets:

21:55:44.980988 IP 192.168.0.1.54321 > 10.10.10.10.12345: UDP, length 16

But 192.168.0.1 can not used in my lab network, it's dropped.

So the remaining thing become: how to DNAT one packet then SNAT the same packet...

Improve this question

2 Answers 2

Reset to default
1

I fixed this issue by run command

conntrack -F

After all of my iptables rules. There is no need to use --phydev, just using following two rules:

iptables -t nat -A PREROUTING -s 192.168.0.1 -d 192.168.0.2 -p udp --dport 12345 -j DNAT --to 10.10.10.10:12345
iptables -t nat -A POSTROUTING -d 10.10.10.10/24 -o eth0 -j SNAT --to-source 10.10.10.5
Improve this answer
0

To perform DNAT of locally generated packets one should use OUTPUT chain of NAT table, not the PREROUTING chain.

Your rule should likely look:

iptables -t nat -A OUTPUT -s 192.168.0.1 -p udp --dport 12345 -j DNAT --to 10.10.10.10:12345
Improve this answer
3
  • This rule does not work... tcpdump can not show anything, I used PREROUTING with -m physdev --physdev-in tap0 can DNAT packets, but it sometimes does not work, not sure if it's related to conntrack.
    – code farmer
    Commented Sep 21, 2020 at 7:15
  • Do you have a route on 10.10.10.10 which points back to 192.168.0.1 & 192.168.0.2?
    – Tomek
    Commented Sep 21, 2020 at 15:00
  • No such route existed
    – code farmer
    Commented Sep 22, 2020 at 1:46

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .