Introduction
Following a test I’ve just made, here is how to re-route a specific output traffic to a different port/host/etc using iptables.
In this example , my test machine is 10.0.0.22 and my traps receiving machine is 1.2.3.4. I redirect port 162 to port 8787
The command
# iptables -t nat -A OUTPUT --src 0/0 --dst 1.2.3.4 -p udp --dport 162 -j DNAT --to-destination 1.2.3.4:8787
Checking the command was implemented
Check that the command is in the iptables:
# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 166 packets, 30935 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1059 packets, 115K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1056 packets, 113K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- 0.0.0.0/0 1.2.3.4 udp dpt:162 to:1.2.3.4:8787
Sanity test
Run the following tcpdump and generate an alarm from your device
# tcpdump -i any port 8787 -nn -v
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
17:55:11.079266 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 361) 10.0.0.22.60986 > 1.2.3.4.8787: UDP, length 333
1 packets captured
2 packets received by filter
0 packets dropped by kernel
Save for reboot
# iptables-save
.
.
nat
:PREROUTING ACCEPT [171:31227]
:POSTROUTING ACCEPT [1068:115667]
:OUTPUT ACCEPT [1064:114223]
-A OUTPUT -d 1.2.3.4 -p udp -m udp --dport 162 -j DNAT --to-destination 1.2.3.4:8787
COMMIT
.
filter
:INPUT ACCEPT [1177903:1284574480]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [483337:177923496]
COMMIT
.
.
Revert / Delete the rule
To delete the rule from the iptables (if you ever regret…)
# iptables -t nat -D OUTPUT --src 0/0 --dst 1.2.3.4 -p udp --dport 162 -j DNAT --to-destination 1.2.3.4:8787
Enjoy
