What's new

How to reroute traffic?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Pergola Fabio

Senior Member
Hey, got a question, i have a client on my local lan, lets say a client with IP 192.168.0.50
that clients connects to an public service online, lets say on : 55.66.77.88 port 5678

how can i modify the traffic, so the router reroutes all traffic to an internal local device instead? i have the same services running on a local ip , lets say 192.168.0.51:5678
so in other words, i want all outgoing traffic from 192.168.0.50 to 55.77.77.88:5678 rerouted to 192.168.0.51:5678 , so it never reaches that public ip....

is there a way to configure that? i'm running merlin, do i need merlin?

thnx in advance
 
Last edited:
With Merlin you could create a nat-start script that contains the following line:
Code:
iptables -t nat -I PREROUTING -s 192.168.0.50 -d 55.66.77.88 -p tcp --dport 5678 -j DNAT --to-destination 192.168.0.51
 
yes, its all ipv4
thnx for all info, was just reading how to use scripts :


gonna start first without it, and test

btw, for testing, how do you delete that rule? is there an easy way?
i was reading this guide : https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

i first need to show all iptables line numbers with example :
Code:
iptables -L --line-numbers

than delete the specific one, i think your example will be an OUTPUT chain, right?
then delete the specific line, probably the first one, with :

Code:
iptables -D OUTPUT 1

correct?
 
btw, for testing, how do you delete that rule? is there an easy way?
Just issue the same command again but replace "-I" with "-D".

i was reading this guide : https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

i first need to show all iptables line numbers with example :
Code:
iptables -L --line-numbers

than delete the specific one, i think your example will be an OUTPUT chain, right?
then delete the specific line, probably the first one, with :

Code:
iptables -D OUTPUT 1

correct?
That won't work unless you specify the nat table (-t nat). The chain is PREROUTING not OUTPUT.
 
can i also use a DNS instead? like www.123.com instead of 55.66.77.88 ?

Depends on the exact use case as to whether DNS would be helpful. Do you want this rule to apply to everyone on the LAN or only a specific client?

One other consideration - you don't mention whether you're using DHCP or static IP assignment for the client. Best option would probably be manual/fixed assignment under the router DHCP settings - keeps any iptables scripts simpler while still leaving the router (and wider network) better able to track things like hostname/IP mapping.
 
perfect

yes, the local device has a fixed IP
seems dns is not possible :

but actually, that doesnt mather, that local 192.168.0.50 device is only connecting to cloud , only on port 5678 , so do i need to specify that www.123..com / 55.66.77.88 at all? maybe i can drop it?
so instead of :
iptables -t nat -I PREROUTING -s 192.168.0.50 -d 55.66.77.88 -p tcp --dport 5678 -j DNAT --to-destination 192.168.0.51
it will be like:
iptables -t nat -I PREROUTING -s 192.168.0.50 -p tcp --dport 5678 -j DNAT --to-destination 192.168.0.51

so i remove the "-d 55.66.77.88" completely? is that valid?
 
Depends on the exact use case as to whether DNS would be helpful. Do you want this rule to apply to everyone on the LAN or only a specific client?
I think you're making the same mistake that I first did when reading the question. He's not asking to change a DNS reply but whether he can substitute a DNS name for the IP address in the iptables command.
 
seems dns is not possible :
Yes it is possible. I tried it myself. That example is attempting something different. Unless I'm misunderstanding what you're trying to use DNS for.
 
I think you're making the same mistake that I first did when reading the question. He's not asking to change a DNS reply but whether he can substitute a DNS name for the IP address in the iptables command.
I missed the port element - DNS to redirect all requests would work (albeit also affecting the local instance of the service which, depending what it is, could still need external access) but in this case the ask is only to redirect traffic destined to a single port. Doh!
 
perfect

then i can use :

iptables -t nat -I PREROUTING -s 192.168.0.50 -d www.123.com -p tcp --dport 5678 -j DNAT --to-destination 192.168.0.51

if that works, thats good enough for me..
using a DNS there is bether, i dont know if that cloud service using multiple ip's for that www.123..com site, this command should resolve that

thnx for all feedback!!
 
perfect, it works!! =-)
is there a way to actually see the route in the ipables?
if i do like :
iptables -L
i see a lot of chains, but not the PREROUTING chain?

thnx !
 
You need to specify the nat table (-t nat).

iptables -t nat -L -v
or
iptables -t nat -L -vn
or
iptables-save -t nat

P.S. It's a rule not a route.
 
ok, that works!
lets say, created the rule witth this at destination: --to-destination 192.168.0.51
is there a failsafe? let me explain, if 192.168.0.51 is not avaible on my system for whatever reason, can i route it back to the original : www.123.com ?
 
ok, that works!
lets say, created the rule witth this at destination: --to-destination 192.168.0.51
is there a failsafe? let me explain, if 192.168.0.51 is not avaible on my system for whatever reason, can i route it back to the original : www.123.com ?
You'd have to setup some sort of monitoring script that periodically checked whether 92.168.0.51 was down and if so delete the iptables rule. Depending on your use case that might be more hassle than it's worth.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top