Iptables change destination address postrouting - linux

I have to change the destination address of my packets before they send...
Looking on the web I saw that with Iptables is possible to change the destination address of the packets in prerouting.
Can you help me?
I would something like
sudo iptables -t nat -A POSTROUTING -d 239.0.2.4 -o wlan0 -j DNAT --to 192.168.1.3
My problem is that a relay of my rtsp local server accepts only a multicast ip-address but I would that the packets are sent with a classical ip-address.
Thanks

You can change the destination address in PREROUTING, and source address in POSTROUTING.
The rationale is that during the POSTROUTING chain, the routing decision has already taken place, and altering the destination address now would be nonsensical. Either the decision would be the same (in which case you can use the PREROUTING chain), or it would be different, in which case you really want a policy route.

Related

IP tables TEE command changes source mac address

I am trying to forward/clone traffic from my host machine to my docker container using IPtables command.
I am able to receive traffic inside my container via iptables TEE command. However, this command changes the ethernet header by replacing SRC ethernet mac with host ethernet mac. I am interested in collecting this data for my project.
Is there any other way I can achieve this?
Commands used:
1. iptables -t mangle -I PREROUTING -i <host_interface_name>-p tcp -j TEE --gateway <container_ip>
2. iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination <container_ip:port>
IPtables operate at the network layer and route the packet from the host where the rules were added. Therefore, we cannot avoid update of the source mac. I've tried using TPROXY, FORWARD, ACCEPT. Found the documentation for this at https://ipset.netfilter.org/iptables-extensions.man.html#lbDU
Achieved my requirement using : Linux TC. Simple inbuild Linux Traffic Controller can be used for shaping traffic moving through your interfaces.
https://man7.org/linux/man-pages/man8/tc-mirred.8.html

Why i see DST="127.0.0.53" on -j REDIRECTed packets?

I am confused about situation in my NATed network. I start dnsmasq on router, with listen-address=192.168.100.1 and -p 5353 option for DNS port. Afterwards, i add iptables rule for hosts inside that network:
iptables -t nat -I PREROUTING -s 192.168.100.0/24 \
-d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
But this didn't work first time, since my INPUT policy is DROP: when i add this rule, everything starts to work:
iptables -I INPUT -p udp --dport 53 -d 127.0.0.53 -j ACCEPT
I discovered this address with help of -j LOG on my INPUT chain, where i saw packets dropped like SRC=127.0.0.1 DST=127.0.0.53 ..., when NATed host is trying to resolve hostname.
As i am writing automated script that generates correct netfilter rules for situation, i need to know from where this 127.0.0.53 could come from.
I see the same address in /etc/resolv.conf. But i don't understand who's routing this packet to this address when it is "redirected", if even close to understanding what happens.
systemd-resolved sets up a stub listener for dns requests locally on 127.0.0.53:53
try disabling it to proceed sudo systemctl disable systemd-resolved

In-kernel packet forwarding from one port to multiple ports

On a Linux-based system I need data incoming on a TCP port to be automatically redirected to other 50 local ports without going through user-space's send/recv. Each port needs to receive a copy of all incoming traffic. All ports are local to the same machine.
I've discarded the splice syscall due to the limit of one endpoint being a file. I guess that iptables is the right tool for this purpose, but I can't figure out the right syntax for this purpose. It should be something similar to:
iptables -t nat -A PREROUTING -p tcp --dport <in_port> -j REDIRECT --to-ports <out_port1>-<out_port50>
I wonder e.g. if the option -m multiport is needed.

Linux NATing on my own IP address

I have a question regarding Linux NAT-ing on my own IP address.
Suppose I have an network interface, say eth0. It is given an IP address of 127.0.0.2. Now I apply a NAT rule in Linux saying that:
Any traffic with a source IP of 127.0.0.2 should be changed to a source IP of 192.168.0.2.
What source IP will I see in the packets sent out of eth0? In other words, will the NAT rule be applied to the packets originating from my own machine?
Thanks!
Jin
you can use postrouting for the same
iptables -t nat -A POSTROUTING -s 127.0.0.2 -o eth0 -j SNAT --to 192.168.0.2

byte counters for MAC address using IPTABLES

Assuming that I am the Server, and I want to watch bandwidth of downloading and uploading for the specific MAC address. With the uploading monitor chain. I use this:
iptables -N clientA_upload and then iptables -A FORWARD -m mac --mac-source 00:11:22:33:44:55:66 and it works just fine. - But when it comes to the downloading chain. I use iptables -A FORWARD -m mac --mac-destination 00:11:22:33:44:55:66 and the iptables doesn't support the mac-destination. Please help me out
P/s: I just want to monitor by MAC address. Not ip address. Because in android OS. It doesn't support byte countering using IP address. So please help !!!
For the missing --mac-destination the trick is to combine iptables --mac-source with CONNMARK:
First use --mac-source to match packets coming from the mac address you're interested in.
use CONNMARK to mark the whole connection, ie both directions (!) and
now check packets going in the other direction with the connection mark.
# lan interface
if_lan=eth0
# packets going to mac address will pass through this:
iptables -t mangle -N clientA_download
# mark connections involving mac address:
iptables -t mangle -A PREROUTING -i $if_lan -m state --state NEW -m mac --mac-source 00:11:22:33:44:55 -j CONNMARK --set-mark 1234
# match packets going to mac address:
iptables -t mangle -A POSTROUTING -o $if_lan -m connmark --mark 1234 -j clientA_download
Initially i thought this would only work for tcp connections originating from the lan, but given the definition of --state NEW it should work in both directions for both tcp and udp (!)
For counters see also ipset which is very nice for this.
Policy Routing on Linux based on Sender MAC Address was the inspiration for this answer.
There is no such thing as --mac-destination. You have to move to ebtables for that.
You are confusing downloading and uploading rules.
Rule 1: iptables -A FORWARD -m mac --mac-source 00:11:22:33:44:55:66
is appended to the ipchain and checks the given mac in forwarding chain.
Now you need to check your mac in input chain, so instead of applying the second rule in FORWARD chain, apply it in INPUT chain:
Rule 2: iptables -I INPUT -m mac --mac-destination 00:11:22:33:44:55:66

Resources