1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Redirect IP address with iptables

Discussion in 'Tomato Firmware' started by ImGeo, Apr 15, 2010.

  1. ImGeo

    ImGeo Addicted to LI Member

    I'm trying to redirect based on source IP and destination IP to a different IP address and different port. I've looked over the FAQ on tomato, used google, and spent a good amount of time--but couldn't get anything working. I'm trying to redirect all traffic from:
    192.168.1.13 to 67.221.231.147:80
    to:
    192.168.1.12:8080

    It's two different computers, except I'm trying to intercept connections to that server to find out what the program is sending about me. I'd use a proxy, except that the device 192.168.1.13 is an iPhone...

    iptables I've tried:
    iptables -I INPUT -t nat -i eth1 -s 192.168.1.13 -p tcp --dport 80 -j REDIRECT --to-port 8080

    variations include -A PREROUTING, etc..., but the return is:
    iptables: No chain/target/match by that name

    And I've looked online, but it seems many of the commands are not compatible with Tomato's iptables.
     
  2. Porter

    Porter LI Guru Member

    To use the PREROUTING chain you might need to

    iptables -N PREROUTING

    You also might want to read up on SNAT and DNAT.
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    PREROUTING will already exist in the tables where it should, you won't need to create it ("-N").

    Try the following:
    Code:
    iptables -t nat -A PREROUTING -i `nvram get lan_ifname` -s 192.168.1.13 -d 67.221.231.147 -p tcp --dport 80 -j DNAT --to 192.168.1.12:8080
    iptables -t nat -A POSTROUTING -o `nvram get lan_ifname` -s 192.168.1.13 -p tcp -d 192.168.1.12 -j SNAT --to `nvram get lan_ipaddr`
    The first rule takes any traffic from 192.168.1.13 to 67.221.231.147:80 and directs it to 192.168.1.12:8080. Any return traffic from 192.168.1.12 will also be made so it looks like it came from 67.221.231.147.

    The second rule makes that traffic that's being sent to 192.168.1.12 looks like it's coming from the router. That is so that 192.168.1.12 will send any return traffic through the router where the last half of the above will happen.

    For some reason, when I originally gave these directions to someone else, I included a third rule. However, I'm pretty sure it isn't necessary. I'm not sure why I included it. All br0->br0 traffic is ACCEPTed in the stock Tomato filter/FORWARD rules, so it should be completely redundant. Only add this if the above rules don't work.
    Code:
    iptables -t filter -I FORWARD -s 192.168.1.13 -d 192.168.1.12 -i `nvram get lan_ifname` -o `nvram get lan_ifname` -p tcp --dport 8080 -j ACCEPT
     
  4. mstombs

    mstombs Network Guru Member

  5. ImGeo

    ImGeo Addicted to LI Member

    Nope, didn't work.

    I also tried a few variations, including:
    iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.18 -d 0.0.0.0/0 -p tcp --dport 80 -j DNAT --to 192.168.1.12:8080
    iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.18 -p tcp -d 192.168.1.12 -j SNAT --to 192.168.1.1

    Note that when my device (iPhone) is connected, it shows up as on interface eth1. What I've decided is that if I want to do any testing/interception, I'd change the static IP to ~.18, else it'd stay .13. And I do want to redirect all traffic (hence the 0.0.0.0/0) to ~.12:8080 (which is Burp proxy).

    Any new suggestions? As long as it works, I'll be happy--even if it doesn't do anything fancy or mask that it's being intercepted.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It really should work. Are you sure the proxy running on 192.168.1.12 is configured correctly?

    I just put the following in my router and it correctly sent everything from 192.168.0.30 (this laptop) destined for 204.11.51.93 (linksysinfo.org) to my server at 192.168.0.10.
    Code:
    iptables -t nat -I PREROUTING -i `nvram get lan_ifname` -s 192.168.0.30 -d 204.11.51.93 -p tcp --dport 80 -j DNAT --to 192.168.0.10:80
    iptables -t nat -I POSTROUTING -o `nvram get lan_ifname` -s 192.168.0.30 -p tcp -d 192.168.0.10 -j SNAT --to `nvram get lan_ipaddr`
    Also, you'll need to restart the firewall service (or the entire router) after adding those rules to the firewall script.
     

Share This Page