Hi all, I think I need help with the following problem: there's a XUbuntu 20.04 LTS box with 2 NICs: eth0 on 192.168.100.0/24 (Network A) eth1 on 192.168.200.0/24 (Network B)The Linux box is supposed to forward (only) all UDP broadcasts to port 34567 in network A to network B.
For this purpose I have a ruleiptables -t mangle -A INPUT -d 192.168.100.255 -i eth0 -p udp -m udp --dport 34567 -j TEE --gateway 192.168.200.255
This works well and you can see the cloned UDP packets in network B (e.g. with Wireshark or TCPDUMP). However, the default policy of filter/OUTPUT must be set to ACCEPT. If this is set to DROP, I've had no success so far, even though I've inserted what I consider to be a suitable OUTPUT rule. Probably I've made a mistake.
But that's not the main problem, unfortunately. The cloned UDP packets are not recognized/received by computers in network B, because they still have the original destination address directed to the broadcast address of network A: 192.168.100.255 !!!
I know reports of others who have observed the same behavior:e.g. https://unix.stackexchange.com/questions/477462/iptables-change-destination-ip-of-teed-packets
I believe that for a clean solution, you would have to rewrite the destination address in the nat/OUTPUT chain (on the same gateway machine where the TEE rule is applied) to network B's broadcast address using DNAT. So something like this:
iptables -t nat -A OUTPUT -o eth1 -d 192.168.100.255 -p udp -j DNAT --to-destination 192.168.200.255
Unfortunately, that didn't work either and the UDP packets on network B still have the destination address 192.168.100.255 (which is actually wrong on this network) and they are therefore not recognized.
What am I doing wrong? Best, Thomas
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature