If you're using iptables your solution may be short lived, consider transition to nft.
For any rule you're adding with -A or -I just use the duplicate with -D before it to prevent multiples of the same rule being created.
2 Likes
Interesting!
With -D will it update the existing rule if the domain changed?
Postrouting and prerouting, can they be added with -D ? Seems not.
It just so happens that the device I use to bounce traffic off of is running v21 and I can't physically access it. Therefore iptables.
Later I'll try to figure out how to get nftables and v22 running on it. But it's not a priority.
Try this. It's complicated, but it should work. Edit the domain names carefully.
rn_pre=$(iptables -t nat -L PREROUTING --line-numbers | grep Custom_Pre | awk '{ print $1 }')
rn_post=$(iptables -t nat -L POSTROUTING --line-numbers | grep Custom_Post | awk '{ print $1 }')
rn_fwds=$(iptables -L FORWARD --line-numbers | grep Fwd_Src | awk '{ print $1 }')
rn_fwdd=$(iptables -L FORWARD --line-numbers | grep Fwd_Dest | awk '{ print $1 }')
[ -z "$rn_pre" ] || iptables -t nat -D PREROUTING "$rn_pre"
[ -z "$rn_post" ] || iptables -t nat -D POSTROUTING "$rn_post"
[ -z "$rn_fwds" ] || iptables -D FORWARD "$rn_fwds"
[ -z "$rn_fwdd" ] || iptables -D FORWARD "$rn_fwdd"
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 63887 -m comment --comment "Custom_Pre" -j DNAT --to-destination `dig x.com +short`:443
iptables -t nat -A POSTROUTING -p tcp -d `dig x.com +short`/32 -m comment --comment "Custom_Post" -j SNAT --to-source `dig y.com +short`
iptables -A FORWARD -s `dig x.com +short`/32 -m comment --comment "Fwd_Src" -j ACCEPT
iptables -A FORWARD -d `dig x.com +short`/32 -m comment --comment "Fwd_Dest" -j ACCEPT