How to rewrite dest.IP of UDP packets, cloned by TEE target?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi all,

I think I need help with the following problem:

there's a XUbuntu 20.04 LTS box with 2 NICs:

eth0 on 192.168.100.0/24 (Network A)
eth1 on 192.168.200.0/24 (Network B)

The Linux box is supposed to forward (only) all UDP broadcasts to port 34567 in network A to network B.

For this purpose I have a rule

iptables -t mangle -A INPUT -d 192.168.100.255 -i eth0 -p udp -m udp --dport 34567 -j TEE --gateway 192.168.200.255

This works well and you can see the cloned UDP packets in network B (e.g. with Wireshark or TCPDUMP). However, the default policy of filter/OUTPUT must be set to ACCEPT. If this is set to DROP, I've had no success so far, even though I've inserted what I consider to be a suitable OUTPUT rule. Probably I've made a mistake.

But that's not the main problem, unfortunately. The cloned UDP packets are not recognized/received by computers in network B, because they still have the original destination address directed to the broadcast address of network A: 192.168.100.255 !!!

I know reports of others who have observed the same behavior:

e.g. https://unix.stackexchange.com/questions/477462/iptables-change-destination-ip-of-teed-packets

I believe that for a clean solution, you would have to rewrite the destination address in the nat/OUTPUT chain (on the same gateway machine where the TEE rule is applied) to network B's broadcast address using DNAT. So something like this:

iptables -t nat -A OUTPUT -o eth1 -d 192.168.100.255 -p udp -j DNAT --to-destination 192.168.200.255

Unfortunately, that didn't work either and the UDP packets on network B still have the destination address 192.168.100.255 (which is actually wrong on this network) and they are therefore not recognized.

What am I doing wrong?

Best,
Thomas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux