I have referred to the following links before asking this question.
I am making an example for my students on NAT - pre-routing. Here, I am trying to replace the destination ip with the one I want. For example, when someone tries to access www.facebook.com, the wwww.google.com will be connected.
Here is what I have tried to do.
# host www.facebook.com
www.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 31.13.79.65
star.c10r.facebook.com has IPv6 address 2a03:2880:f002:201:face:b00c:0:1
^C[root@shreyas joshis1]#
# host www.google.com
www.google.com has address 74.125.236.81
www.google.com has IPv6 address 2404:6800:4001:802::1014
[root@shreyas joshis1]#
Now, here is the IP table rule.
# iptables -t nat -I PREROUTING -p tcp --dport 80 -d 31.13.79.65 -j DNAT --to-destination 74.125.236.81
# iptables -t nat -I PREROUTING -p tcp --dport 443 -d 31.13.79.65 -j DNAT --to-destination 74.125.236.81
Now, commit to the table.
# iptables-save
However, it doesn't work. One thing I know that the DNS resolution can happen to multiple IP's based on the region,etc. Because these sites have DNS load balancer.
The thing is that I can block these IP's. I believe that iptables
works on the network layer. Thus, the HTTP request should have come to this layer. On reaching this layer, it should have pre-routed to the other IP. For example, whenever the IP destination is 31.13.79.65
, change it to the destination IP - 74.125.236.81
.
Thus, after DNS resolution, if the browser will request anything for the IP 31.13.79.65
, the network layer should change it to 74.125.236.81
. However, it doesn't work. Can somebody please explain why?
Please bear in mind that I am not an expert in networking. I have tried my best to put up the best of the knowledge I have on networking.
This is what you have to do:
You have to use the OUTPUT chain since that visit is an outgoing traffic.
This iptables command assumes that this command is run on the machine on which you will be demonstrating the rules. Once this rule is applied, all the traffic to www.facebook.com will be redirected to the google IP address.
To effectively demonstrate this to your students, you will also have to create host entries in the
/etc/hosts
file so that www.facebook.com will always resolve to 31.13.79.65 and not to some other IP address.To make the rule permanent, you need to issue:
Not
iptables-save
since it just prints out the rules as mentioned in the previous answer.To view this rule, you have to specifically mention
-t nat
since the rule is created in the NAT table:iptables -t nat -L
The PREROUTING chain is used for packets arriving over the network to the host on which you have configured iptables. However if you test from that host itself, the PREROUTING chain is not used. To cover that case you can use the OUTPUT chain instead.
Also the iptables-save command does not do what you think it does. Your first two iptables commands modify the active rules directly in the kernel. As soon as you have run one of those commands, the rule is active for new connections.
What the iptables-save command does is to read the rules in the kernel and write it all to stdout. You can redirect the output from iptables-save to a file in order to save your current configuration for later. Then later you can read those rules into your kernel by using the iptables-restore command.
The issue you mention with the IP address being dynamic may be best addressed by manipulating the DNS replies. If you change the DNS replies, you don't need to use the DNAT rule. If you are running your own resolver, you can make it believe it is authoritative for the zone you want to redirect.
However for a quick hack redirecting using iptables or by updating the hosts file is easier.
You can use PREROUTING chain to route any traffic to your desired ip & port.