Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

How-To: Redirecting network traffic to a new IP using IPtables

Posted by chantra on December 6th, 2008

While doing a server migration, it happens that some traffic still go to the old machine because the DNS servers are not yet synced or simply because some people are using the IP address instead of the domain name....

By using iptables and its masquerade feature, it is possible to forward all traffic to the old server to the new IP.

This tutorial will show which command lines are required to make this possible.

In this article, it is assumed that you do not have iptables running, or at least no nat table rules for chain PREROUTING and POSTROUTING.

The first thing to do is do enable IP forwarding. This is done either by using:

# echo "1" > /proc/sys/net/ipv4/ip_forward

or

# sysctl net.ipv4.ip_forward=1

Then, we will add a rule telling to forward the traffic on port 1111 to ip 2.2.2.2 on port 1111:

# iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111

and finally, we ask IPtables to masquerade:

iptables -t nat -A POSTROUTING -j MASQUERADE

Optionally, you could only redirect the traffic from a specific source/network with, for a host only:

# iptables -t nat -A PREROUTING -s 192.168.1.1 -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111

or for a whole network

# iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111

that's it, now the traffic to port 1111 will be redirected to IP 2.2.2.2 .
If you go on host 2.2.2.2, you should see a lot of traffic coming from the host doing the redirection.

13 Responses to “How-To: Redirecting network traffic to a new IP using IPtables”

    • this depends on each individual cases, but in a nutshell, you will need to run

      iptables -t nat -L -n --line-numbers

      and find the line that matches the rules you want to deletes.
      then

      iptables -t nat -D

  1. webmim only open using internal ip 172.31.3.61:10000 but when i'm open from ip public 54.254.203.200:10000 it won't open.
    what iptables rule to help me open it from ip public?

    Thanks.

  2. Hi, I followed your guide but have a problem:
    # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.113:80
    # iptables -t nat -A POSTROUTING -j MASQUERADE

    but if i do a nmap localhost, the port 80 is closed (because no service is locally running on that port.)
    how can the traffic be redirect from a closed port?
    I tried also with
    # iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    but nothing change....

    can you help me?

    thanks

  3. You have to try it from some other host, not localhost. I tried the same command from another machine and the redirected port showed open.

  4. I want to redirect web traffic destined for internet ip 216.239.32.20 to a proxy running on the router in port 8080, is this right:

    iptables -t nat -A PREROUTING --d 216.239.32.20 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

    or

    iptables -t nat -A PREROUTING -d 216.239.32.20 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:8080 being the router.

  5. I want to redirect all outgoing traffic to 192.168.53.1 to instead go to 192.168.26.1.

    Is that something that can be handled?

    Basically, I'm using an android app with a bug in it that doesn't allow you to type a "." in the IP address, so I can't change the address. It's going to try to connect to the wrong address, and I want those TCP/IP packets to go to the right address isntead.

  6. Hi Very nice post helped me lot. wanted to say thank you... :-) My use case is simple
    I have an Active Directory (ip a.a.a.a) server running on port 389 and a web site hosted on another hosting provider (ip b.b.b.b) (on port 80)
    What I want to do is place a system in between and point the A record to this server (ip c.c.c.c)

    so the traffic would be like
    request port 80 --> c.c.c.c --> b.b.b.b
    request port 389 --> c.c.c.c --? a.a.a.a

    Now the other challenge comes that the WEB server and AD server need to see the actual IP of the system that making the get request. If I were to use a proxy I could setup a X-Forward for. can I do this in IPtables ?
    BTW -- even if we don't expose the end client IP to AD server its ok but for the Web Server it is a must.

    Thanks

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>