How Can I Use the Iptables but Not Converting the Resource IP?

Question

I want to deflect some IP address that we access using any tools (like nmap, medusa, etc) to the another IP Address.

For more details: I have 2 IP Addresses, First IP Address is 192.168.1.7 and the Second is 192.168.1.6. When I want to access the first IP Address using another PC in the same LAN, I want to deflect that to the Second IP Address on port 22, so I using Iptables for that as you can see here, I add some rule on the second IP Address pc:

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.43.7

iptables -t nat -A POSTROUTING -j MASQUERADE

after I tried that, it was work. But, I really need the IP Address information about who was accessing the IP Address because the result show that it's only the first IP Address that was accessing the second IP Address, not the third one. Can you help me please? Because it always converting the IP Address Source and I don't know why.

Oh, I also tried using any tools port forwarder like rinetd, socat, etc. But it doesn't work. Do you have any idea for this? I really need help.

[Update] :

I've tried using SNAT on the rule in iptables but it has same result. I read this post How to do the port forwarding from one ip to another ip in same network? but I don't know what must I do with that

Does this answer your question? [Iptables DNAT single port](https://serverfault.com/questions/748109/iptables-dnat-single-port) — Michael Hampton, Sep 24 '20 at 00:43
@MichaelHampton it said filtered state for the port and what I want is open — Pebri Alkautsar, Sep 24 '20 at 01:51
You still have to allow the traffic in the firewall on the destination host! — Michael Hampton, Sep 24 '20 at 02:15
Can you give a more complete description of your objective in your question? Your question does not show where from do you want to connect to `192.168.1.7` port 22. What is the role of `192.168.1.7` device in the network? Is it a router for public internet? — Tero Kilkanen, Sep 24 '20 at 06:34

score 0 · Answer 1 · answered Oct 13 '20 at 11:28

Server-A = 192.168.1.7
Server-B = 192.168.1.6
Client-PC = 10.20.20.3

From what you are trying to achieve, the MASQUERADE rule is the culprit and must be removed. Here is a scenario. When Client-PC attempts to connect to Server-A, it must be redirected to Server-B on TCP 22. From Server-B perspective, traffic is coming from 10.20.20.3

On the host that is acting as a Linux gateway, do the following:

$ sudo echo "1" > /proc/sys/net/ipv4/ip_forward
$ sudo iptables -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.7 --dport 22 -j DNAT --to-destination 192.168.1.6:22
$ sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

From Server-B, make sure it knows how how to send return traffic back to 10.20.20.3

If not, then add a static route on Server-B

$ sudo ip route add 10.20.20.3 via X.X.X.X # Where X.X.X.X is the IP of the Linux gateway

How Can I Use the Iptables but Not Converting the Resource IP?

1 Answers1