2

I have referred to the following links before asking this question.

I am making an example for my students on NAT - pre-routing. Here, I am trying to replace the destination ip with the one I want. For example, when someone tries to access www.facebook.com, the wwww.google.com will be connected.

Here is what I have tried to do.

# host www.facebook.com
www.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 31.13.79.65
star.c10r.facebook.com has IPv6 address 2a03:2880:f002:201:face:b00c:0:1
^C[root@shreyas joshis1]#

# host www.google.com
www.google.com has address 74.125.236.81
www.google.com has IPv6 address 2404:6800:4001:802::1014
[root@shreyas joshis1]#

Now, here is the IP table rule.

# iptables -t nat -I PREROUTING -p tcp --dport 80  -d 31.13.79.65 -j DNAT --to-destination 74.125.236.81
# iptables -t nat -I PREROUTING -p tcp --dport 443  -d 31.13.79.65 -j DNAT --to-destination 74.125.236.81

Now, commit to the table.

# iptables-save

However, it doesn't work. One thing I know that the DNS resolution can happen to multiple IP's based on the region,etc. Because these sites have DNS load balancer.

The thing is that I can block these IP's. I believe that iptables works on the network layer. Thus, the HTTP request should have come to this layer. On reaching this layer, it should have pre-routed to the other IP. For example, whenever the IP destination is 31.13.79.65, change it to the destination IP - 74.125.236.81.

Thus, after DNS resolution, if the browser will request anything for the IP 31.13.79.65, the network layer should change it to 74.125.236.81. However, it doesn't work. Can somebody please explain why?

Please bear in mind that I am not an expert in networking. I have tried my best to put up the best of the knowledge I have on networking.

Community
  • 1
dexterous
  • 215
  • 3
  • 6
  • 13

3 Answers3

3

This is what you have to do:

iptables -t nat -A OUTPUT -p tcp --dport 80  -d 31.13.79.65 -j DNAT --to-destination 74.125.236.81
iptables -t nat -A OUTPUT -p tcp --dport 443  -d 31.13.79.65 -j DNAT --to-destination 74.125.236.81

You have to use the OUTPUT chain since that visit is an outgoing traffic.

This iptables command assumes that this command is run on the machine on which you will be demonstrating the rules. Once this rule is applied, all the traffic to www.facebook.com will be redirected to the google IP address.

To effectively demonstrate this to your students, you will also have to create host entries in the /etc/hosts file so that www.facebook.com will always resolve to 31.13.79.65 and not to some other IP address.

To make the rule permanent, you need to issue:

/etc/init.d/iptables save
/etc/init.d/iptables reload

Not iptables-save since it just prints out the rules as mentioned in the previous answer.

To view this rule, you have to specifically mention -t nat since the rule is created in the NAT table:

iptables -t nat -L

Sreeraj
  • 464
  • 1
  • 4
  • 15
1

The PREROUTING chain is used for packets arriving over the network to the host on which you have configured iptables. However if you test from that host itself, the PREROUTING chain is not used. To cover that case you can use the OUTPUT chain instead.

Also the iptables-save command does not do what you think it does. Your first two iptables commands modify the active rules directly in the kernel. As soon as you have run one of those commands, the rule is active for new connections.

What the iptables-save command does is to read the rules in the kernel and write it all to stdout. You can redirect the output from iptables-save to a file in order to save your current configuration for later. Then later you can read those rules into your kernel by using the iptables-restore command.

The issue you mention with the IP address being dynamic may be best addressed by manipulating the DNS replies. If you change the DNS replies, you don't need to use the DNAT rule. If you are running your own resolver, you can make it believe it is authoritative for the zone you want to redirect.

However for a quick hack redirecting using iptables or by updating the hosts file is easier.

kasperd
  • 29,894
  • 16
  • 72
  • 122
  • Are you saying pre-routing for the replies I received. Once I receive the reply, the prerouting can redirect those packets to some other IP is it? – dexterous Mar 30 '14 at 15:44
  • No, the nat table is not used for replies. Only expect the nat table to be used for the first packet in the connection. The rest of the packets will be handled by connection tracking. The rules you specified should work, if they are used on a router, which is forwarding the traffic. But if you insert those iptables rules on the very machine where you are running the browser, then you should have been using OUTPUT rather than PREROUTING. – kasperd Mar 30 '14 at 16:20
  • But post routing works right? – dexterous Mar 30 '14 at 16:51
  • You can't use DNAT in POSTROUTING. It wouldn't make sense to change destination IP after routing, because routing needs the destination IP. – kasperd Mar 30 '14 at 17:27
  • Sorry, what I meant was post routing works on the host itself, unlike the pre-routing where the router has the affect. – dexterous Mar 31 '14 at 00:59
  • Is my example will work, if another machine gw is my machine, all in the same network. And I do the DNAT POSTROUTING whenever there is a destination IP of facebook to google. I am enabling packet forwarding also in my machine. Thus, when other machine access fb, then my machine will DNAT it to google. Is it ok? – dexterous Mar 31 '14 at 01:06
0

You can use PREROUTING chain to route any traffic to your desired ip & port.

iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111
Flup
  • 7,688
  • 1
  • 31
  • 43
Mansur Ul Hasan
  • 264
  • 3
  • 9