0

I have the following situation:
One interface (device) identified by an IP address of 192.168.1.x (I1) that's connecting through whatever service to another interface with IP 192.168.1.y (I2) to port (P2) on the same LAN. Now I want to redirect all frames/packets (data in general) that are sent from I1 to I2:P2 onto another device with IP address 192.168.1.z (I3) and port (P3) on the same LAN.

What I tried:
I looked into iptables but ultimately figured they (specifically the nat tables) work only on packets going into the external network (WAN). An exception is when the rules are set on the connecting device (I1), then these shell commands did the job:

iptables -t nat -A OUTPUT -p tcp -d I2 --dport P2 -j DNAT --to I3:P3
iptables -t nat -A INPUT -p tcp -s I3 --sport P3 -j SNAT --to I2:P2

Since I wanted to apply the rules on the local router, I then tried to see if communication between I1 and I2 is even passing through it with:
iptables -t raw -I PREROUTING -s I1 -d I2 -j LOG
And it probably isn't since I couldn't find any logs with the two IPs (the log file was at /var/log/messages).

I started realizing that the LAN communication is going through the switch using MAC addresses and can't be captured there, is that true? I suppose the "switch" is physically (in) the same box as the router.

Finally, I'm thinking I might not even need the redirecting and just run the desired services on I2 (which is a virtual interface), but that's beside the question.

So my main question is:
Is it possible to redirect the traffic (modify the packets) that's going from I1 to I2:P2 in the switch/router that it's passing through, so that the destination would be I3:P3 and I3 could then respond in the same fashion (masquerade itself as I2:P2) without I1 noticing?

I guess it might not be possible and redirection on this level has to do with (virtual) bridges. If so, can the same result be achieved otherwise? I can only modify the switch and the I2, I3 interfaces (NOT I1).

h4nek
  • 3
  • 2

2 Answers2

0

You can only do this modification on your I1 device and using iptables NAT or similar there.

If you set up separate IP subnets in your current LAN so that x and y are in different subnets, then you can perform this destination manipulation in the router, because packets will traverse through the router then.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
0

You are apparently on the same network segment and as you guessed it - the traffic IS NOT passing through the router in this case.

There are two places where you can make the necessary adjustments:

  1. The originating device (I1) where you only need to DNAT the outgoing packets:

    iptables -t nat -A OUTPUT -p tcp -d I2 --dport P2 -j DNAT --to I3:P3

  2. The second device (I2) where you need to both DNAT and SNAT and you must have packet forwarding enabled:

    iptables -t nat -A PREROUTING -p tcp -s I1 -d I2 --dport P2 -j DNAT --to-destination I3:P3
iptables -t nat -A POSTROUTING -p tcp -s I1 -d I3 --dport P3 -m conntrack --ctstate DNAT -j SNAT --to-source I2
Tomek
  • 2,950
  • 1
  • 15
  • 9
  • Great clarification. The second option indeed did the job, although I'm not sure I know how it worked. The first rule seems to simply change the destination before packets get "routed" (I ommited the `source` since I don't actually know who I1 is - it then applies to any source). The second rule is a mystery to me. I guess it must modify packets after the "routing", so the packets now destined for I3:P3 get their source changed as well. Why is it sufficient to just change to I2 (port is unnecessary?)? And how does it redirect on the way back when you seem to only specify one way? – h4nek Sep 17 '18 at 16:05
  • Have a look at this answer: https://serverfault.com/questions/919766/how-to-access-host-in-lan-using-alternate-ip-address#919838 (which is accidentally also mine :)), it should sched some light on how and for what the SNAT rule is there. – Tomek Sep 17 '18 at 18:45