Using iptables to change a destination port

Question

Is it possible to change the destination port of a UDP packet using iptables?

I'm trying to get an SNMP agent to send out traps on 1620 instead of 162. Unfortunately so far I've only managed to change the source port:

iptables -t nat -A POSTROUTING -p udp --dport 162 -j SNAT --to :1620

Answer 1

This usage is apparently not supported. Taken from http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt:

6.3.7. Altering the Destination of Locally-Generated Connections

The NAT code allows you to insert DNAT rules in the OUTPUT chain, but
this is not fully supported in 2.4 (it can be, but it requires a new
configuration option, some testing, and a fair bit of coding, so unless someone contracts Rusty to write it, I wouldn't expect it soon).

The current limitation is that you can only change the destination to
the local machine (e.g. `j DNAT --to 127.0.0.1'), not to any other machine, otherwise the replies won't be translated correctly.

Answer 2

Assuming you know which machine you are sending to:

iptables -t nat -A OUTPUT -p udp --dport 162 -j DNAT --to-destination <dest-ip>:1620

Answer 3

you could redirect 162 to 1620

iptables -t nat -A PREROUTING -p UDP --dport 162 -j REDIRECT --to-port 1620

Answer 4

@PiedPiper was right. With DNAT you must specify an ip address, but we only want to do port redirection, so -j REDIRECT may work in this case.

See http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2

Answer 5

Instead of making SNAT, try with DNAT. The source port gets changed because SNAT means SourceNAT, so DNAT will work for you.

Answer 6

You could set up a divert rule and then re-inject the packet with the modified port.

I've done this a while back on Mac OS X but it's the same principle on Linux: http://blog.dv8.ro/2006/08/using-divert-sockets-on-mac-os-x.html

You basically need to create a very simple transparent proxy.