Iptables - Redirect outbound traffic on a port to inbound traffic on 127.0.0.1

security iptables redirect

6,516

You want to use the iptables REDIRECT target.

iptables -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 80 -j REDIRECT

The iptables manpage specifies a single option to REDIRECT that allows you to change the port.

That option is --to-ports.

6,516

GoldenNewby

Updated on September 18, 2022

Comments

GoldenNewby almost 2 years
Is there a way to redirect traffic set to go out of the server to another IP, back to the server on localhost (preferably as if it was coming from the original destination)?

I'd basically like to be able to set up my own software that listens on say, port 80, and receives traffic that was sent to say, 1.2.3.4.

So as an example with some code. Here would be the server:
```
my $server = IO::Socket::INET->new(

    LocalAddr => '127.0.0.1',
    LocalPort => '80',
    Listen => 128,

);
```
And that would receive traffic from the following client:
```
my $client = IO::Socket::INET->new(

    PeerAddr => 'google.com',
    PeerPort => '80',

)
```
So rather than having the client be connecting to google.com, it would be connecting to the server I have listening on localhost for that same server.

My intention is to use this to catch malware connecting to remote hosts.

I don't specifically need the traffic to be redirected to 127.0.0.1, but it needs to be redirected to an IP the same machine can listen to.

Edit: I've tried the following, and it doesn't work--
```
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:80
iptables -t nat -A POSTROUTING -j MASQUERADE
```
GoldenNewby about 12 years

It doesn't work for what I'm trying to do. It looks to me like that takes any traffic on port 80 to 1.2.3.4 and changes the port to something else, but it still goes to 1.2.3.4. I need it to go to localhost on the same machine the request originates from.
dmourati about 12 years

That's what REDIRECT does. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address).
dmourati about 12 years

Clear out all your iptables rules and just set the one I mentioned above to verify.
GoldenNewby about 12 years

I wasn't able to get this working-- is the socket option required for the client and the server?
Martino Dino about 12 years

No, it simply "sniffs" for all the traffic directed to that port regardless of IP dst or dst port etc. But looking back this applies to traffic going trough your box and not originating from it. You should be able to adapt the "sniffer" socket binarytides.com/blog/… from that website
GoldenNewby about 12 years

Sorry for the delay in the promised bounty, I'll be awarding it one I can (at least 24 hours).