Rewriting Packet Destination using iptables and nftables

glasstea

5/27/23, 4:55 PM

I have a RHEL 7 (IP 192.168.0.10/24) and RHEL 8 (IP 192.168.0.11/24) host both of which are getting duplicated packets from a router which are intended for a different host (IP 192.168.1.10/24). How can I use iptables on the RHEL 7 host and nftables on the RHEL 8 host to modify the destination IP so that each host receives the packet as if it was truly the destination?

Sample packet on the rhel7 host:

[root@rhel7 ~]# tcpdump -nni eth0 port 20800
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:43:53.339859 IP 1.2.3.4.22551 > 192.168.1.10.20800: Flags [S], seq 2316850366, win 29200, options [mss 1460,sackOK,TS val 3894703027 ecr 0,nop,wscale 7], length 0

I think something has to be done in the prerouting table but I didn't have success with this:

iptables -t nat -I PREROUTING -d 192.168.1.10 -j DNAT --to 192.168.0.10

Any suggestions? I assume once the iptables command is figured out, the nftables command be found using iptables-translate.

0 + 0

iptables

nftables

Tero Kilkanen

5/27/23, 7:00 PM

This looks like a network configuration error, and you should fix the actual error instead of adding workarounds.

glasstea

5/28/23, 10:36 AM

I can get access to the router. Do you think the router needs a postrouting rule to change the destination address after the duplication? The duplication rule is `add rule ip filter forward ip saddr 1.2.3.4 ip daddr 192.168.1.10 tcp dport 20800 dup to 192.168.0.10 counter`

Tero Kilkanen

5/28/23, 4:07 PM

One problem is that the same L2 network contains two different IP subnets (`192.168.0.0/24` and `192.168.1.0/24`). Those should be in separate broadcast domains, with a router in between.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Rewriting Packet Destination using iptables and nftables

TH: การเขียนปลายทางแพ็คเก็ตใหม่โดยใช้ iptables และ nftables

RO: Rescrierea Pachet Destinație folosind iptables și nftables

RU: Перезапись адресата пакета с помощью iptables и nftables

VI: Viết lại Packet Destination bằng iptables và nftables

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.