I am currently trying to solve the following problem, but my google/SO searches have not yielded a matching scenario so far:
From my linux host, I must reach the destination host 172.19.28.152. However, due to corporate network complications, I must use a different IP address for that target: 10.187.19.132.
I must solve the problem in the IP layer because the application does not allow changing the target (it will always use the 172... IP address, and there is no way for me to change that behaviour in my scenario). Also, the application does not allow me to specify a DNS name instead.
Because of this, I want to configure nftables to do the following:
If a packet leaves my own host with the destination 172.19.28.152, replace the destination IP with 10.187.19.132. When the target replies, rewrite 10.187.19.132 with the original 172.19.28.152 (NAT) My problem is that I cannot figure out the syntax for such a rule.
Let me state this another way: you want some remote host to look as if it lives under different IP address than you are actually need to access.
This is standard
DNAT-type translation, in nftables it looks like the followingInstead of
OUTPUTyou might need to use the chain that you were created previously; nftables doesn't provide default chains. It might be created with something likeIf you only need to establish communications from your side to that system, you don't need any other rules. The connection tracker will add expect records, so replies will be captured and translated back correctly.
If, on the other hand, the remote also should be able to initiate communications with your machine, you need, conversely, a
SNATrule, similar to the following:POSTROUTINGis, again, must be replaced with the chain of the corresponding function you were created beforehand, with something like this: