src-nat will only let me change the source addr of egress packets. i want to change the dest addr also.
dst-nat will only let me change the dest addr of ingress packets. i want to change the src addr also.
Why? I have several clients on my LAN that insist on using google DNS (8.8.8.8 ). i want to redirect those UDP/53 packets to a different DNS.
And where is the problem?
Is from 2007 than I force all the users to use my DNS instead of anyother.
On Italy I’m forced by stupid laws to do that.
DST-NAT is applied on prerouting, you can not alter the source IP of the incoming packet because that connection is already tracked with that IP source.
SRC-NAT is applied on postrounting, you can not alter the destination IP of the outcoming packet because that connection is already routed with that IP destination.
Change DNS do not involve nothing more to the exclusive use of DST-NAT.
Incoming replies from forced DNS are already sent back to right IP source of request from connection tracking.
It is possible to change both src address and dst address of a packet, it is only that two rules are needed: one src-nat and one dst-nat. As @regextended explained, dst-nat comes first so if src-nat includes selector on dst address, it should match on already changed one.