1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Redirect IP address with iptables

Discussion in 'Tomato Firmware' started by ImGeo, Apr 15, 2010.

  1. ImGeo

    ImGeo Addicted to LI Member

    I'm trying to redirect based on source IP and destination IP to a different IP address and different port. I've looked over the FAQ on tomato, used google, and spent a good amount of time--but couldn't get anything working. I'm trying to redirect all traffic from: to

    It's two different computers, except I'm trying to intercept connections to that server to find out what the program is sending about me. I'd use a proxy, except that the device is an iPhone...

    iptables I've tried:
    iptables -I INPUT -t nat -i eth1 -s -p tcp --dport 80 -j REDIRECT --to-port 8080

    variations include -A PREROUTING, etc..., but the return is:
    iptables: No chain/target/match by that name

    And I've looked online, but it seems many of the commands are not compatible with Tomato's iptables.
  2. Porter

    Porter LI Guru Member

    To use the PREROUTING chain you might need to

    iptables -N PREROUTING

    You also might want to read up on SNAT and DNAT.
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    PREROUTING will already exist in the tables where it should, you won't need to create it ("-N").

    Try the following:
    iptables -t nat -A PREROUTING -i `nvram get lan_ifname` -s -d -p tcp --dport 80 -j DNAT --to
    iptables -t nat -A POSTROUTING -o `nvram get lan_ifname` -s -p tcp -d -j SNAT --to `nvram get lan_ipaddr`
    The first rule takes any traffic from to and directs it to Any return traffic from will also be made so it looks like it came from

    The second rule makes that traffic that's being sent to looks like it's coming from the router. That is so that will send any return traffic through the router where the last half of the above will happen.

    For some reason, when I originally gave these directions to someone else, I included a third rule. However, I'm pretty sure it isn't necessary. I'm not sure why I included it. All br0->br0 traffic is ACCEPTed in the stock Tomato filter/FORWARD rules, so it should be completely redundant. Only add this if the above rules don't work.
    iptables -t filter -I FORWARD -s -d -i `nvram get lan_ifname` -o `nvram get lan_ifname` -p tcp --dport 8080 -j ACCEPT
  4. mstombs

    mstombs Network Guru Member

  5. ImGeo

    ImGeo Addicted to LI Member

    Nope, didn't work.

    I also tried a few variations, including:
    iptables -t nat -A PREROUTING -i eth1 -s -d -p tcp --dport 80 -j DNAT --to
    iptables -t nat -A POSTROUTING -o eth1 -s -p tcp -d -j SNAT --to

    Note that when my device (iPhone) is connected, it shows up as on interface eth1. What I've decided is that if I want to do any testing/interception, I'd change the static IP to ~.18, else it'd stay .13. And I do want to redirect all traffic (hence the to ~.12:8080 (which is Burp proxy).

    Any new suggestions? As long as it works, I'll be happy--even if it doesn't do anything fancy or mask that it's being intercepted.
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It really should work. Are you sure the proxy running on is configured correctly?

    I just put the following in my router and it correctly sent everything from (this laptop) destined for (linksysinfo.org) to my server at
    iptables -t nat -I PREROUTING -i `nvram get lan_ifname` -s -d -p tcp --dport 80 -j DNAT --to
    iptables -t nat -I POSTROUTING -o `nvram get lan_ifname` -s -p tcp -d -j SNAT --to `nvram get lan_ipaddr`
    Also, you'll need to restart the firewall service (or the entire router) after adding those rules to the firewall script.

Share This Page