I am trying to redirect all traffic generated on box $SRC to a particular UDP port to a different host $SPY. I've done similar things with whole TCP connections using DNAT and SNAT, but this time I want UDP and I want to be able to start up the redirection after the "connection" has been established. (I never see these packets in the 'nat' table.) The only option that seemed viable, me not knowing much about networking, was to use the 'mangle' table to set a mark on the outgoing packets, then use 'ip' to route the packet to $SPY. I've used iptables a fair amount, but ip not at all. On $SRC, I ran: iptables -t mangle -A OUTPUT -p udp --dport 8765 -j MARK --set-mark 1 ip rule add fwmark 1 table 50 ip route add via $SPY table 50 sysctl net.ipv4.ip_forward=1 # Dunno if this matters ip route flush cache On $SPY, I ran: sysctl net.ipv4.ip_forward=1 # Makes sense here $SRC, $SPY, and $ORIG_DEST (the original destination) can all reach each other. According to iptables, the mark is getting set on the packets I want redirected. But tcpdump shows packets still going to the original destination, not $SPY. I am testing by running this on $SRC nc -v -u $ORIG_DEST 8765 And I trigger packets to be sent by hitting enter in that window. The packets are making it to my dummy server on $ORIG_DEST. They do not show up to tcpdump on $SPY. I don't know how to read the output of 'ip route show cache', but it includes $SPY from $SRC tos lowdelay dev tun0 cache mtu 1412 advmss 1372 hoplimit 64 local $SRC from $SPY tos lowdelay dev lo src $SRC cache <local,src-direct> iif tun0 (I'm testing this over a VPN, hence the tun0 device. Both $ORIG_DEST and $SPY are accessible via the VPN.) The only thing I can think of is that $SPY needs to be reachable in a single hop, but then I'd expect some other error message. On the other hand, I just tried the above commands on my actual $SRC box, and it gave me "RTNETLINK answers: Network is unreachable". But as I said, all three boxes can reach each other via ping and pretty much anything. By the way, I don't care if the packets arrive at $SPY with the destination IP addresses still set to something else; I just want them to be filterable via another iptables mess. (I'll probably just write them all out to a file with tcpdump and analyze them after the fact, but I could imagine writing a application protocol-specific netfilter module to do the checking that I really want.) I'd really like for some way to rewrite the destination IP address and do routing on the resulting packet, but I couldn't figure out how to do that. Like I said, these packets don't go through the 'nat' table, and I don't know how to rewrite the destination IP any other way. Help? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
