iptables: changing destination for specific network host

Question

honestly I don't know much about iptables but I'm facing this issue and I'm committed to solve it with iptables

The thing is that I want to change the destination ip for another just to one specific host on my network, not to everyone.

For instance:

Every time that 192.168.1.77 try to reach some ip 1.2.3.4 get swapped for another ip 5.6.7.8

I imagine that this can be done with iptables, I just don't know how, even reject that traffic works for me I think.

Thanks in advance

EDIT (Feb 23, 2017):

I have a partial solution rejecting the desired IP but this applies to everyone on my network and I need only to block it in one device

iptables -I FORWARD --destination 1.2.3.4 -j REJECT

As @FreedomPride requested:

root@naboo /root # iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
delegate_input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
delegate_forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
delegate_output  all  --  anywhere             anywhere            

Chain delegate_forward (1 references)
target     prot opt source               destination         
forwarding_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_forward  all  --  anywhere             anywhere            
zone_wan_forward  all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain delegate_input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
input_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input  all  --  anywhere             anywhere            
zone_wan_input  all  --  anywhere             anywhere            

Chain delegate_output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
output_rule  all  --  anywhere             anywhere             /* user chain for output */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_output  all  --  anywhere             anywhere            
zone_wan_output  all  --  anywhere             anywhere            

Chain forwarding_VPN_rule (1 references)
target     prot opt source               destination         

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_VPN_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_VPN_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (3 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere            

Chain zone_VPN_dest_ACCEPT (3 references)
target     prot opt source               destination         

Chain zone_VPN_forward (0 references)
target     prot opt source               destination         
forwarding_VPN_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_VPN_input (0 references)
target     prot opt source               destination         
input_VPN_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_VPN_src_ACCEPT  all  --  anywhere             anywhere            

Chain zone_VPN_output (0 references)
target     prot opt source               destination         
output_VPN_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_VPN_src_ACCEPT (1 references)
target     prot opt source               destination         

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> wan */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> VPN */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-dgm /* Samba 1 */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn /* Samba 2 */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds /* Samba 3 */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            

Chain zone_wan_forward (1 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* @rule[7] */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* @rule[8] */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere            

Chain zone_wan_input (1 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* Allow-IGMP */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https /* HTTPS over WAN */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8000 /* LHTTP over WAN */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere            

Chain zone_wan_output (1 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere

What's the settings in your iptables , could you share so we could identify the problem. — FreedomPride, Commented Feb 23, 2017 at 1:27
Hmm, I don't have any issues with iptables, in fact I believe I have almost the default rules of my installation, this is something new I want to add. I have testes some commands of my own with no success and I always do a restart to go back to the default. (Adding those in a few) — William Añez, Commented Feb 23, 2017 at 1:45

William Añez · Accepted Answer · 2017-02-25 00:27:09Z

-1

I just add the -s (as I said at the beginning: I didn't knew much about iptables...)

iptables -s 192.168.1.77 -I FORWARD --destination 1.2.3.4 -j REJECT

Cheers,

edited Feb 25, 2017 at 0:27

answered Feb 24, 2017 at 1:36

William Añez

1135 bronze badges

Add a comment |

Stack Exchange Network

iptables: changing destination for specific network host

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
router
iptables
openwrt
dd-wrt
.

Hot Network Questions

iptables: changing destination for specific network host

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxrouteriptablesopenwrtdd-wrt.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
router
iptables
openwrt
dd-wrt
.