Redirect incoming UDP traffic to a local ip adress (iptables?)

Question

Score:0

Server

Redirect incoming UDP traffic to a local ip adress (iptables?)

Aleksandarf

5/24/24, 5:24 AM

tcpdump works as expected on my machine.

tcpdump -i enx00e04c04009e -Uw - | tcpdump -en -r - vlan 201
17:52:51.447340 04:01:30:00:00:16 > 03:00:03:00:04:00, ethertype 802.1Q (0x8100), length 66: vlan 201, p 0, ethertype IPv4 (0x0800), 192.16.4.47.2013 > 192.16.4.6.5007: UDP, length 20

In my configuration I have vlan eth1.201 with ip 192.16.4.10 (possibly less relevant) and no interface is assigned 192.16.4.6, so the original traffic is targeting another machine.

The ask. I would like to reassign destination ip of the UDP packets above, instead of targeting 192.16.4.6 I would like to choose a local adress 192.16.4.10.

I've been struggling with iptables without any success, for example, below attempt takes me nowhere:

/usr/sbin/iptables-legacy  -t nat -A PREROUTING -p udp -i eth1.201 -d 192.16.4.6 -j DNAT --to-destination 192.16.4.10

Assuming this is trivial for the right brain.

Edit, added info on request from @A.B

The setup is very simple

RaspberryPI_player

sudo tcpreplay -x 0.01 --loop=0 --intf1=eth1 Wireshark_bidirectional_data.pcap

RaspberryPI_target_my_machine

From vanilla this is what I do

sudo ip link add link eth1 name eth1.201 type vlan id 201
sudo ip addr add 192.16.4.10/32 dev eth1.201 
sudo ip link set dev eth1.201 up
/usr/sbin/iptables-legacy  -t nat -A PREROUTING -p udp -i eth1.201 -d 192.16.4.6 -j DNAT --to-destination 192.16.4.10

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether e4:5f:01:95:ff:d5 brd ff:ff:ff:ff:ff:ff
3: enx00e04c04009e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:e0:4c:04:00:9e brd ff:ff:ff:ff:ff:ff
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether e4:5f:01:95:ff:d7 brd ff:ff:ff:ff:ff:ff
5: vcan0: <NOARP,UP,LOWER_UP> mtu 72 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/can
6: vcan1: <NOARP,UP,LOWER_UP> mtu 72 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/can
7: vcan2: <NOARP,UP,LOWER_UP> mtu 72 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/can
8: vcan3: <NOARP,UP,LOWER_UP> mtu 72 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/can
9: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
    link/ether 02:42:cf:b8:3b:8a brd ff:ff:ff:ff:ff:ff
10: br-b54950de0d83: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
    link/ether 02:42:ff:74:1e:e6 brd ff:ff:ff:ff:ff:ff
13: eth1.201@enx00e04c04009e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

$ ip -br address
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0             UP             192.168.2.161/24 fe80::26c0:e9dc:d0f1:1185/64
enx00e04c04009e  UP             192.168.12.4/24 fe80::1a3b:6f20:dd33:46d0/64
wlan0            UP             192.168.4.1/24 fe80::9fe9:511d:8f32:6e13/64
vcan0            UNKNOWN
vcan1            UNKNOWN
vcan2            UNKNOWN
vcan3            UNKNOWN
docker0          DOWN           172.17.0.1/16
br-b54950de0d83  DOWN           172.18.0.1/16 fe80::42:ffff:fe74:1ee6/64
eth1.201@enx00e04c04009e UP             198.16.4.10/32 169.254.224.254/16 fe80::d2e5:5567:4976:2ac9/64

$ ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

$ ip -4 neigh
192.168.12.11 dev enx00e04c04009e lladdr 00:e0:4c:03:00:f3 STALE
192.168.2.253 dev eth0 lladdr b8:27:eb:ae:6e:89 REACHABLE
192.16.4.47 dev eth1.201 lladdr 02:00:00:00:00:16 STALE
192.168.2.1 dev eth0 lladdr 70:8b:cd:87:cd:98 STALE

$ sudo /usr/sbin/iptables-legacy-save -c
# Generated by iptables-save v1.8.7 on Wed May 24 15:22:35 2023
*filter
:INPUT ACCEPT [920:79203]
:FORWARD ACCEPT [1412:89632]
:OUTPUT ACCEPT [572:84568]
[0:0] -A FORWARD -s 192.16.4.6/32 -d 192.16.4.10/32 -j ACCEPT
[0:0] -A FORWARD -s 192.16.4.6/32 -d 192.16.4.10/32 -j ACCEPT
COMMIT
# Completed on Wed May 24 15:22:35 2023
# Generated by iptables-save v1.8.7 on Wed May 24 15:22:35 2023
*nat
:PREROUTING ACCEPT [20:3564]
:INPUT ACCEPT [11:2780]
:OUTPUT ACCEPT [2:142]
:POSTROUTING ACCEPT [2:142]
[0:0] -A PREROUTING -d 192.16.4.6/32 -i eth1.201 -p udp -j DNAT --to-destination 192.16.4.10
COMMIT
# Completed on Wed May 24 15:22:35 2023

i havent done antything with iptables (only with legace) however adding output anyway

$ sudo /usr/sbin/iptables-nft-save -c
# Generated by iptables-nft-save v1.8.7 on Wed May 24 15:13:19 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [23660:1503520]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[23660:1503520] -A FORWARD -j DOCKER-USER
[23660:1503520] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A FORWARD -o br-b54950de0d83 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-b54950de0d83 -j DOCKER
[0:0] -A FORWARD -i br-b54950de0d83 ! -o br-b54950de0d83 -j ACCEPT
[0:0] -A FORWARD -i br-b54950de0d83 -o br-b54950de0d83 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-b54950de0d83 ! -o br-b54950de0d83 -j DOCKER-ISOLATION-STAGE-2
[23660:1503520] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-b54950de0d83 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[23660:1503520] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed May 24 15:13:19 2023
# Generated by iptables-nft-save v1.8.7 on Wed May 24 15:13:19 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
[5:476] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-b54950de0d83 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-b54950de0d83 -j RETURN
COMMIT
# Completed on Wed May 24 15:13:19 2023
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

Yep some obfuscation above, keeping fingers crossed i didn't mess up to much.

64

0 + 5

nat

iptables

vlan

udp

Redirect incoming UDP traffic to a local ip adress (iptables?)

RaspberryPI_player

RaspberryPI_target_my_machine

Post an answer