on my linux, i wrote this rule for change all udp destination ip address to 8.8.8.8 when dport is 53:
iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 8.8.8.8
this rule worked when i use:
dig +short iranled.com @4.2.2.4
tcpdump and wireshark output is:
04:42:38.023348 IP 192.168.1.2.48984 > 8.8.8.8.53: UDP, length 29
04:42:38.242241 IP 8.8.8.8.53 > 192.168.1.2.48984: UDP, length 45
it is ok.
but when i create this packet from scapy, iptables modify this packet but wireshark can not see them:
sr1(IP(dst="4.2.2.4")/UDP()/DNS(rd=1,qd=DNSQR(qname="iranled.com")))
tcpdump and wireshark output is:
04:43:00.442453 IP 192.168.1.2.53 > 4.2.2.4.53: UDP, length 29
04:43:00.855930 IP 4.2.2.4.53 > 192.168.1.2.53: UDP, length 45
why wireshark can't see scapy packet after changed by iptables?
asked 16 Jul '14, 12:05
Babyy
476●2●3●6
accept rate: 0%
how do you know the packet was changed by iptables in the test with scapy?
@Kurt Knochner: yeah! packet no changed !!!!
and that means what exactly?
@Kurt Knochner: that means iptables cannot change scapy packets! is correct?
I don't know. That was not a statement of mine. It was a question.
I was asking how do you know that iptables did change the scapy packet or not. The only way: Don't sniff on the system. Instead sniff on a mirror port of the switch.
Only then you will get more information if it is a problem with iptables or with libpcap (tcpdump/Wireshark) and (possibly) the fact that scapy is using RAW sockets.
scapy use raw socket and iptables is unable to block or modify those packets .. http://diablohorn.wordpress.com/2013/11/28/qp-raw-sockets-iptables/