Cloning and forwarding packets to multiple IP addresses

rcadima picture rcadima · Feb 15, 2013 · Viewed 8.8k times · Source

I'm trying to forward all incoming TCP packets to multiple IP addresses.

Setup:

A - 10.10.10.10
B - 10.10.10.11
C - 10.10.10.12
D - 10.10.10.13

I want B, C and D to receive (on port 8000) all incoming packets on port 12345 of A. Ideally I wanted A to do this.

I can forward to one machine with this rule on A:

iptables -t nat -A PREROUTING -p tcp --dport 12345 -j REDIRECT --to 10.10.10.11:8000

I can also clone the packet using the TEE option:

iptables -t mangle -A PREROUTING -p tcp --dport 8000 -d 10.10.10.11 -j TEE --gateway 10.10.10.12

So far everything is okay. The problem is that C will receive the packet with the destination IP of B and not C. Furthermore, I don't know how can I forward to D and/or more other destinations.

How can I make A, with iptables rules, send all the incoming packets on port 12345 to all the other machines (B,C and D) to port 8000?

Answer

pascuol picture pascuol · Dec 10, 2014

You have to use POSTROUTING :

iptables -t nat -A POSTROUTING -p tcp --dports 8080 -j SNAT --to-source 10.10.10.12

but you need to find a way to differentiate which packet is for B or C else they will all arrive with the IP of C. It should be done with the interface if you have different interface; I suppose it's the case as you change the gateway so, something like:

iptables -t nat -A POSTROUTING -o eth3 -p tcp --dports 8080 -j SNAT --to-source 10.10.10.12

so only the packets outgoing to the interface eth3, imaging it's the routing path to C, will have the destination ip change to C ip.