# iptables redirect/forward help

## Wizumwalt

UDP packets from 192.168.10.5 using port 5001 are currently destined to 192.168.10.10.

I want iptables on 192.168.10.6 to redirect/forward UDP packets that it "sees" from 192.168.10.5 to itself. 192.168.10.6 should redirect these to itself so that I can get the packets into my application on 192.168.10.6. Currently, 192.168.10.6 will drop these packets because they are originally destined for 192.168.10.10.

I thought thats what I was doing here, but doesn't work.

```

$ iptables -t nat -A PREROUTING -i br0 -d 192.168.10.5 -p udp --dport 5001 -j DNAT --to-destination 192.168.10.6

```

Last edited by Wizumwalt on Fri Oct 07, 2011 4:46 pm; edited 1 time in total

----------

## gentoo_ram

There are several reasons why this can't be done as stated.  

The most important of which is that if the "hub" in question is an ethernet switch then the packets in question will not even physically make it to computer C.  Any network using 100mpbs or 1000mbps ethernet is probably a switch.  The switch looks at the ethernet address of the destination of the packets and only sends the packet down the appropriate port.

Even if the packets make it onto the segment with computer C, then computer C is going to filter them out the ethernet driver level because the destination ethernet address in the packet won't match that of computer C.  You'd have to put the ethernet card in computer C into "promiscuous" mode to even have a chance for the IP stack to examine the packets.

And then even after that, the low-level of the IP stack is going to ignore the packets because the IP address doesn't match the one on computer C.  I don't think IPtables will even have a chance to look at it.

Your only hope is having a firewall/router (be it a dedicated firewall box or a Linux box) sitting between A and B that can edit and/or duplicate the packets.

Can you modify the network configuration on box A to duplicate the packets before sending them?

----------

## Wizumwalt

Just the clarify, the hub really is a hub, not a switch. Actually, it's my virtual bridge br0 on my local box I'm testing with.

I've not used raw sockets before, but don't they run as super user and shouldn't I be able to get the entire frame no matter what the src and dest ip is?

 *gentoo_ram wrote:*   

> And then even after that, the low-level of the IP stack is going to ignore the packets because the IP address doesn't match the one on computer C.  I don't think IPtables will even have a chance to look at it.
> 
> 

 

Would anyone know the answer to this? Does iptables really not see it yet? Because if it did, I'd think iptables would work here.

----------

