iptables DNAT change not showing up in Wireshark

QF0 asked:

I want to re-route all incoming traffic on interface ens4f0 to IP address 192.168.50.10, but Wireshark is showing that the destination IP address on incoming packets is unchanged. Is this the expected behaviour? I thought PREROUTING got in before anything else?

My iptables command is:

# iptables -t nat -A PREROUTING -i ens4f0 -j DNAT --to 192.168.50.10
# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 24618 packets, 1923K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       all  --  ens4f0 any     anywhere             anywhere             to:192.168.50.8
    0     0 DNAT       all  --  ens4f0 any     anywhere             anywhere             to:192.168.50.10
    0     0 DNAT       all  --  ens4f0 any     anywhere             anywhere             to:192.168.50.10

I know that incoming packets are from 192.168.50.8, so I’ve also tried:

# iptables -t nat -A PREROUTING -i ens4f0 -j DNAT -s 192.168.50.8/32 --to 192.168.50.10
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  anywhere             anywhere             to:192.168.50.8
DNAT       all  --  anywhere             anywhere             to:192.168.50.10
DNAT       all  --  anywhere             anywhere             to:192.168.50.10
DNAT       all  --  192.168.50.8         anywhere             to:192.168.50.10

My answer:


Wireshark captures incoming packets before they are processed by the firewall, (and outbound packets after they are processed by the firewall) so you cannot see changes made by the firewall to inbound packets in this packet capture. Try capturing on the outbound interface to see the modified packets.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.