Search code examples
network-programmingipmappingiptables

iptables dnat mapping a private ip to public to specific ip

I constructed a private net with two machine, both of them have two network interfaces this is the networking information:

  • machine1

    • eth0 10.0.0.11 (private net)
    • eth1 10.82.80.208 (Campus Network ip)

  • machine2

    • eth0 10.0.0.21 (private net)
    • eth2 10.82.80.207 (Campus Network ip)

I want to access 10.0.0.11 in my machine (10.82.80.206) in the campus network instead of using campus net IP address by iptables dnat. For example, I want to change the destination of packet from 10.0.0.11 to 10.82.80.208.

I'm trying to use iptables command such as:

iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208
iptables -t nat -A PREROUTING -i eth0 -p icmp -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208
iptables -t nat -A PREROUTING -i eth0 -p udp -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208

But it seems useless when I'm trying to ping 10.0.0.11, the host still unreachable, how could I change the destination of pockets in my machine from a 10.0.0.11 to 10.82.80.208?

Solution

  • As iptables's man page reports, the -i flag specifies the input interface while you need the -o flag which specifies the output interface:

    [!] -i, --in-interface name
Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match.
[!] -o, --out-interface name
Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match.

    However, I think that in your case specifying the interface or protocol is not required. I would suggest the following command:

    iptables -t nat -A PREROUTING -d 10.0.0.11 -j DNAT --to-destination 10.82.80.208