I have referred to the following links before asking this question.
I am making an example for my students on NAT - pre-routing. Here, I am trying to replace the destination ip with the one I want. For example, when someone tries to access www.facebook.com, the wwww.google.com will be connected.
Here is what I have tried to do.
# host www.facebook.com
www.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 31.13.79.65
star.c10r.facebook.com has IPv6 address 2a03:2880:f002:201:face:b00c:0:1
^C[root@shreyas joshis1]#
# host www.google.com
www.google.com has address 74.125.236.81
www.google.com has IPv6 address 2404:6800:4001:802::1014
[root@shreyas joshis1]#
Now, here is the IP table rule.
# iptables -t nat -I PREROUTING -p tcp --dport 80 -d 31.13.79.65 -j DNAT --to-destination 74.125.236.81
# iptables -t nat -I PREROUTING -p tcp --dport 443 -d 31.13.79.65 -j DNAT --to-destination 74.125.236.81
Now, commit to the table.
# iptables-save
However, it doesn't work. One thing I know that the DNS resolution can happen to multiple IP's based on the region,etc. Because these sites have DNS load balancer.
The thing is that I can block these IP's. I believe that iptables
works on the network layer. Thus, the HTTP request should have come to this layer. On reaching this layer, it should have pre-routed to the other IP. For example, whenever the IP destination is 31.13.79.65
, change it to the destination IP - 74.125.236.81
.
Thus, after DNS resolution, if the browser will request anything for the IP 31.13.79.65
, the network layer should change it to 74.125.236.81
. However, it doesn't work. Can somebody please explain why?
Please bear in mind that I am not an expert in networking. I have tried my best to put up the best of the knowledge I have on networking.