Following a test I’ve just made, here is how to re-route a specific output traffic to a different port/host/etc using iptables.

In this example , my test machine is 10.0.0.22 and my traps receiving machine is 1.2.3.4. I redirect port 162 to port 8787

 

The command

# iptables -t nat -A OUTPUT --src 0/0 --dst 1.2.3.4 -p udp --dport 162 -j DNAT --to-destination 1.2.3.4:8787 

 

Checking the command was implemented

Check that the command is in the iptables:

# iptables -t nat -L -n -v 

Chain PREROUTING (policy ACCEPT 166 packets, 30935 bytes)

pkts bytes target     prot opt in     out     source               destination         

 

Chain POSTROUTING (policy ACCEPT 1059 packets, 115K bytes)

pkts bytes target     prot opt in     out     source               destination         

 

Chain OUTPUT (policy ACCEPT 1056 packets, 113K bytes)

pkts bytes target     prot opt in     out     source               destination         

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            1.2.3.4        udp dpt:162 to:1.2.3.4:8787 

 

Sanity test

Run the following tcpdump and generate an alarm from your device

# tcpdump -i any port 8787 -nn -v 

tcpdump: WARNING: Promiscuous mode not supported on the "any" device

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

17:55:11.079266 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 361) 10.0.0.22.60986 > 1.2.3.4.8787: UDP, length 333

 

1 packets captured

2 packets received by filter

0 packets dropped by kernel

 

 

Save for reboot

 

# iptables-save 

.

.

*nat

:PREROUTING ACCEPT [171:31227]

:POSTROUTING ACCEPT [1068:115667]

:OUTPUT ACCEPT [1064:114223]

-A OUTPUT -d 1.2.3.4 -p udp -m udp --dport 162 -j DNAT --to-destination 1.2.3.4:8787 

COMMIT

.

*filter

:INPUT ACCEPT [1177903:1284574480]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [483337:177923496]

COMMIT

.

.

 

Revert / Delete the rule

To delete the rule from the iptables (if you ever regret…)

# iptables -t nat -D OUTPUT --src 0/0 --dst 1.2.3.4 -p udp --dport 162 -j DNAT --to-destination 1.2.3.4:8787

 

 

Enjoy!

 

Viewed 10850 times.
Share |