I have a program send UDP packets to 192.168.0.2:12345, receive packets at port 54321, and it uses 192.168.0.1 IP address. I want it send packets to 10.10.10.10 with same port, because this program and remote server only accept 12345 & 54321.
This is topo:
At first, I use iptables prerouting:
iptables -t nat -A PREROUTING -s 192.168.0.1 -p udp --dport 12345 -j DNAT --to 10.10.10.10:12345
But it does not work, I used LOG, find the nat never happened(192.168.0.1 & 192.168.0.2 does not need routing?):
iptables -t nat -A PREROUTING -s 192.168.0.1 -p udp --dport 12345 -j LOG
Then I find these packets can find in the INPUT chain:
iptables -A INPUT -s 192.168.0.1 -p udp --dport 12345 -j LOG
Is there any way to use DNAT if only I can see these packets in the INPUT?
BTW, I can use socat to redirect these packets, but can not lock ports on 12345 & 54321 on the server side:
socat UDP4-RECVFROM:192.168.0.1,fork UDP4-SENDTO:10.10.10.10:12345
socat UDP4-RECVFROM:10.10.10.10,fork UDP4-SENDTO:192.168.0.1:54321
Some updates from my side, I can use phydev to nat packets now:
iptables -t nat -A PREROUTING -m physdev --physdev-in tap0 -s 192.168.0.1 -p udp --dport 12345 -j DNAT --to 10.10.10.10:12345
From tcpdump of eth0, I can see packets from 192.168.0.1 to 10.10.10.10: (192.168.0.1 can not use in my network)
tcpdump -n -i eth0 host 10.10.10.10
12:36:22.250548 IP 192.168.0.1.54321 > 10.10.10.10.12345: UDP, length 16
However, I can not see these packets from 10.10.10.10 server... Then I run tcpdump on the remote server, I can see these packets:
21:55:44.980988 IP 192.168.0.1.54321 > 10.10.10.10.12345: UDP, length 16
But 192.168.0.1 can not used in my lab network, it's dropped.
So the remaining thing become: how to DNAT one packet then SNAT the same packet...