Eu escrevi esta regra para alterar todos os endereços IP de destino udp
para 8.8.8.8
quando dport
for 53:
iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 8.8.8.8
A regra funcionou quando usei:
dig +short iranled.com @4.2.2.4
tcpdump
output é:
04:42:38.023348 IP 192.168.1.2.48984 > 8.8.8.8.53: UDP, length 29
04:42:38.242241 IP 8.8.8.8.53 > 192.168.1.2.48984: UDP, length 45
está tudo bem.
Mas quando eu crio este pacote de scapy
, a regra iptables
não tem resultado!
sr1(IP(dst="4.2.2.4")/UDP()/DNS(rd=1,qd=DNSQR(qname="iranled.com")))
tcpdump
output é:
04:43:00.442453 IP 192.168.1.2.53 > 4.2.2.4.53: UDP, length 29
04:43:00.855930 IP 4.2.2.4.53 > 192.168.1.2.53: UDP, length 45
por que os pacotes scapy
não foram alterados por iptables
?
UPDATE :
#iptables -L -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcpflags:! 0x17/0x02
2 ACCEPT udp -- 127.0.0.1 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
5 DROP all -- 0.0.0.0/0 255.255.255.255
6 DROP all -- 0.0.0.0/0 192.168.1.255
7 DROP all -- 224.0.0.0/8 0.0.0.0/0
8 DROP all -- 0.0.0.0/0 224.0.0.0/8
9 DROP all -- 255.255.255.255 0.0.0.0/0
10 DROP all -- 0.0.0.0/0 0.0.0.0
11 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
12 LSI all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
13 INBOUND all -- 0.0.0.0/0 0.0.0.0/0
14 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
15 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Unknown Input"
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
2 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
3 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Unknown Forward"
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.1.2 127.0.0.1 tcp dpt:53
2 ACCEPT udp -- 192.168.1.2 127.0.0.1 udp dpt:53
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 224.0.0.0/8 0.0.0.0/0
5 DROP all -- 0.0.0.0/0 224.0.0.0/8
6 DROP all -- 255.255.255.255 0.0.0.0/0
7 DROP all -- 0.0.0.0/0 0.0.0.0
8 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
9 OUTBOUND all -- 0.0.0.0/0 0.0.0.0/0
10 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
11 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Unknown Output"
Chain INBOUND (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 LSI all -- 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
num target prot opt source destination
Chain LSI (2 references)
num target prot opt source destination
1 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
2 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "Inbound "
3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
4 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "Inbound "
5 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04
6 LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "Inbound "
7 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
8 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix "Inbound "
9 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
num target prot opt source destination
1 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
2 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix "Outbound "
3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0