How to reroute traffic?

Pergola Fabio

Senior Member
Hey, got a question, i have a client on my local lan, lets say a client with IP 192.168.0.50
that clients connects to an public service online, lets say on : 55.66.77.88 port 5678

how can i modify the traffic, so the router reroutes all traffic to an internal local device instead? i have the same services running on a local ip , lets say 192.168.0.51:5678
so in other words, i want all outgoing traffic from 192.168.0.50 to 55.77.77.88:5678 rerouted to 192.168.0.51:5678 , so it never reaches that public ip....

is there a way to configure that? i'm running merlin, do i need merlin?

thnx in advance
 
Last edited:

ColinTaylor

Part of the Furniture
With Merlin you could create a nat-start script that contains the following line:
Code:
iptables -t nat -I PREROUTING -s 192.168.0.50 -d 55.66.77.88 -p tcp --dport 5678 -j DNAT --to-destination 192.168.0.51
 

Pergola Fabio

Senior Member
yes, its all ipv4
thnx for all info, was just reading how to use scripts :


gonna start first without it, and test

btw, for testing, how do you delete that rule? is there an easy way?
i was reading this guide : https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

i first need to show all iptables line numbers with example :
Code:
iptables -L --line-numbers

than delete the specific one, i think your example will be an OUTPUT chain, right?
then delete the specific line, probably the first one, with :

Code:
iptables -D OUTPUT 1

correct?
 

ColinTaylor

Part of the Furniture
btw, for testing, how do you delete that rule? is there an easy way?
Just issue the same command again but replace "-I" with "-D".

i was reading this guide : https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

i first need to show all iptables line numbers with example :
Code:
iptables -L --line-numbers

than delete the specific one, i think your example will be an OUTPUT chain, right?
then delete the specific line, probably the first one, with :

Code:
iptables -D OUTPUT 1

correct?
That won't work unless you specify the nat table (-t nat). The chain is PREROUTING not OUTPUT.
 

eightiescalling

Regular Contributor
can i also use a DNS instead? like www.123.com instead of 55.66.77.88 ?

Depends on the exact use case as to whether DNS would be helpful. Do you want this rule to apply to everyone on the LAN or only a specific client?

One other consideration - you don't mention whether you're using DHCP or static IP assignment for the client. Best option would probably be manual/fixed assignment under the router DHCP settings - keeps any iptables scripts simpler while still leaving the router (and wider network) better able to track things like hostname/IP mapping.
 

Pergola Fabio

Senior Member
perfect

yes, the local device has a fixed IP
seems dns is not possible :

but actually, that doesnt mather, that local 192.168.0.50 device is only connecting to cloud , only on port 5678 , so do i need to specify that www.123..com / 55.66.77.88 at all? maybe i can drop it?
so instead of :
iptables -t nat -I PREROUTING -s 192.168.0.50 -d 55.66.77.88 -p tcp --dport 5678 -j DNAT --to-destination 192.168.0.51
it will be like:
iptables -t nat -I PREROUTING -s 192.168.0.50 -p tcp --dport 5678 -j DNAT --to-destination 192.168.0.51

so i remove the "-d 55.66.77.88" completely? is that valid?
 

ColinTaylor

Part of the Furniture
Depends on the exact use case as to whether DNS would be helpful. Do you want this rule to apply to everyone on the LAN or only a specific client?
I think you're making the same mistake that I first did when reading the question. He's not asking to change a DNS reply but whether he can substitute a DNS name for the IP address in the iptables command.
 

ColinTaylor

Part of the Furniture
seems dns is not possible :
Yes it is possible. I tried it myself. That example is attempting something different. Unless I'm misunderstanding what you're trying to use DNS for.
 

eightiescalling

Regular Contributor
I think you're making the same mistake that I first did when reading the question. He's not asking to change a DNS reply but whether he can substitute a DNS name for the IP address in the iptables command.
I missed the port element - DNS to redirect all requests would work (albeit also affecting the local instance of the service which, depending what it is, could still need external access) but in this case the ask is only to redirect traffic destined to a single port. Doh!
 

Pergola Fabio

Senior Member
perfect

then i can use :

iptables -t nat -I PREROUTING -s 192.168.0.50 -d www.123.com -p tcp --dport 5678 -j DNAT --to-destination 192.168.0.51

if that works, thats good enough for me..
using a DNS there is bether, i dont know if that cloud service using multiple ip's for that www.123..com site, this command should resolve that

thnx for all feedback!!
 

Pergola Fabio

Senior Member
perfect, it works!! =-)
is there a way to actually see the route in the ipables?
if i do like :
iptables -L
i see a lot of chains, but not the PREROUTING chain?

thnx !
 

ColinTaylor

Part of the Furniture
You need to specify the nat table (-t nat).

iptables -t nat -L -v
or
iptables -t nat -L -vn
or
iptables-save -t nat

P.S. It's a rule not a route.
 

Pergola Fabio

Senior Member
ok, that works!
lets say, created the rule witth this at destination: --to-destination 192.168.0.51
is there a failsafe? let me explain, if 192.168.0.51 is not avaible on my system for whatever reason, can i route it back to the original : www.123.com ?
 

ColinTaylor

Part of the Furniture
ok, that works!
lets say, created the rule witth this at destination: --to-destination 192.168.0.51
is there a failsafe? let me explain, if 192.168.0.51 is not avaible on my system for whatever reason, can i route it back to the original : www.123.com ?
You'd have to setup some sort of monitoring script that periodically checked whether 92.168.0.51 was down and if so delete the iptables rule. Depending on your use case that might be more hassle than it's worth.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top