Rewrite destination IP

Rewrite destination IP

[Bram van den Hout]

Hi,

Is it possible to change the destination IP address of an incoming packet and have a local running server proces on application layer answer to the changed IP address ?

To be more clear. I have a hosting software suite that is configured to run on a registered public IP address (a.b.c.d).
The actual server is behind a firewall and has a private IP address. I have configured a virtual interface with the public IP address a.b.c.d.

eth0      Link encap:Ethernet  HWaddr 00:0c:29:f5:10:9f  
          inet addr:192.168.100.11  Bcast:192.168.100.255  Mask:255.255.255.0

eth0:0    Link encap:Ethernet  HWaddr 00:0c:29:f5:10:9f  
          inet addr:a.b.c.d  Bcast:a.b.c.d  Mask:255.255.255.255

Incoming packets have destination IP : 192.168.100.11.
I would like to change the destination to a.b.c.d and have for instance a webserver listening on a.b.c.d:80 and with directive <virtualhost a.b.c.d:80> answer to that request.

I have tried :

iptables -t nat -A PREROUTING -i eth0 -d 192.168.100.11 -j NETMAP --to a.b.c.d/32

When checking the result of this command with tcpdump, I don't see any translation.

What am I missing ?

Thank you very much for your response !

Cheers,

Bram

Re: Rewrite destination IP

[Vigneswaran R]

On 03/17/2014 05:12 PM, Bram van den Hout wrote:
> Hi,
>
> Is it possible to change the destination IP address of an incoming packet and have a local running server proces on application layer answer to the changed IP address ?
>
> To be more clear. I have a hosting software suite that is configured to run on a registered public IP address (a.b.c.d).
> The actual server is behind a firewall and has a private IP address. I have configured a virtual interface with the public IP address a.b.c.d.
>
> eth0      Link encap:Ethernet  HWaddr 00:0c:29:f5:10:9f
>            inet addr:192.168.100.11  Bcast:192.168.100.255  Mask:255.255.255.0
>
> eth0:0    Link encap:Ethernet  HWaddr 00:0c:29:f5:10:9f
>            inet addr:a.b.c.d  Bcast:a.b.c.d  Mask:255.255.255.255
>
> Incoming packets have destination IP : 192.168.100.11.
> I would like to change the destination to a.b.c.d and have for instance a webserver listening on a.b.c.d:80 and with directive <virtualhost a.b.c.d:80> answer to that request.
>
> I have tried :
>
> iptables -t nat -A PREROUTING -i eth0 -d 192.168.100.11 -j NETMAP --to a.b.c.d/32
>
> When checking the result of this command with tcpdump, I don't see any translation.

Better, try to log the packets and see whether the translation happened 
or not. Add the following rule,

     iptables -I INPUT -d a.b.c.d -j LOG --log-prefix "[netfilter] "

Then ping 192.168.100.11 from another node. Now the log 
(/var/log/messages or other custom log file) should have the 
corresponding entries, if the translation happened properly. I just 
tested now.


Regards,
Vignesh

>
> What am I missing ?
>
> Thank you very much for your response !
>
> Cheers,
>
> Bram
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Rewrite destination IP

[Neal Murphy]

On Tuesday, March 18, 2014 12:21:08 AM Vigneswaran R wrote:
> On 03/17/2014 05:12 PM, Bram van den Hout wrote:
> > Hi,
> > 
> > Is it possible to change the destination IP address of an incoming packet
> > and have a local running server proces on application layer answer to
> > the changed IP address ?
> > 
> > To be more clear. I have a hosting software suite that is configured to
> > run on a registered public IP address (a.b.c.d). The actual server is
> > behind a firewall and has a private IP address. I have configured a
> > virtual interface with the public IP address a.b.c.d.
> > 
> > eth0      Link encap:Ethernet  HWaddr 00:0c:29:f5:10:9f
> > 
> >            inet addr:192.168.100.11  Bcast:192.168.100.255 
> >            Mask:255.255.255.0
> > 
> > eth0:0    Link encap:Ethernet  HWaddr 00:0c:29:f5:10:9f
> > 
> >            inet addr:a.b.c.d  Bcast:a.b.c.d  Mask:255.255.255.255
> > 
> > Incoming packets have destination IP : 192.168.100.11.
> > I would like to change the destination to a.b.c.d and have for instance a
> > webserver listening on a.b.c.d:80 and with directive <virtualhost
> > a.b.c.d:80> answer to that request.
> > 
> > I have tried :
> > 
> > iptables -t nat -A PREROUTING -i eth0 -d 192.168.100.11 -j NETMAP --to
> > a.b.c.d/32
> > 
> > When checking the result of this command with tcpdump, I don't see any
> > translation.
> 
> Better, try to log the packets and see whether the translation happened
> or not. Add the following rule,
> 
>      iptables -I INPUT -d a.b.c.d -j LOG --log-prefix "[netfilter] "
> 
> Then ping 192.168.100.11 from another node. Now the log
> (/var/log/messages or other custom log file) should have the
> corresponding entries, if the translation happened properly. I just
> tested now.

NETMAP should work, but since you're dealing with a single IP, DNAT and SNAT 
should work just as well. I imagine that:

  # Show that DNAT should happen and do it
  iptables -t nat -A PREROUTING -i eth0 -d 192.168.100.11 \
      -j LOG --log-prefix "[DNAT to public?] "
  iptables -t nat -A PREROUTING -i eth0 -d 192.168.100.11 \
      -j DNAT --to a.b.c.d

  # Log the DNAT result
  iptables -I INPUT -d a.b.c.d -j LOG --log-prefix "[DNAT worked ]"
  iptables -I INPUT -d 192.168.100.11 -j LOG --log-prefix "[DNAT FAILed ]"

  # Show that SNAT should happen and do it
  iptables -t nat -A POSTROUTING -o eth0 -s a.b.c.d \
      -j LOG --log-prefix "[SNAT from public?] "
  iptables -t nat -A POSTROUTING -o eth0 -s a.b.c.d \
      -j SNAT --to 192.168.100.11

  # Log the SNAT result
  iptables -I OUTPUT -s 192.168.100.11 -j LOG --log-prefix "[SNAT worked ]"
  iptables -I OUTPUT -s a.b.c.d -j LOG --log-prefix "[SNAT FAILed ]"

should do the trick and show what should have happened and what did happen.