How to blindly forward all packets from one interface to another?
As far as setting it up in Linux, all the research I have done has led me to using combinations of the following, but I don’t think they are appropriate in this use case:
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -i eth0 -o m0 -j ACCEPT iptables -A FORWARD -i m0 -o eth0 -j ACCEPT
Achievable with Static Routing
Verified the interfaces are all working and it isn’t a hardware problem by setting static routes and confirming bidirectional messaging. I’m starting to think it simply isn’t achievable.
PC0 can now directly connect to PC1; tested with:
Received response from PC1 through the radios.
eth0 eth0 192.168.0.111 192.168.2.112 PC0 --- eth --- unit111 --- rf --- unit112 --- eth --- PC1 192.168.0.110 192.168.1.111 192.168.1.112 192.168.2.110 m0 m0
IFPC=enx4865ee1495b5 ip link set $IFPC up ip addr flush $IFPC ip addr add 192.168.0.110/24 dev $IFPC ip route add 192.168.1.0/24 via 192.168.0.111 ip route add 192.168.2.0/24 via 192.168.0.111
ip link set eth0 up ip addr flush eth0 ip addr add 192.168.0.111/24 dev eth0 ip link set m0 up ip addr flush m0 ip addr add 192.168.1.111/24 dev m0 ip route add 192.168.2.0/24 via 192.168.1.111 echo 1 > /proc/sys/net/ipv4/ip_forward
ip link set eth0 up ip addr flush eth0 ip addr add 192.168.2.112/24 dev eth0 ip link set m0 up ip addr flush m0 ip addr add 192.168.1.112/24 dev m0 ip route add 192.168.0.0/24 via 192.168.1.112 echo 1 > /proc/sys/net/ipv4/ip_forward
IFPC=enp0s31f6 ip link set $IFPC up ip addr flush $IFPC ip addr add 192.168.2.110/24 dev $IFPC ip route add 192.168.1.0/24 via 192.168.2.112 ip route add 192.168.0.0/24 via 192.168.2.112
Application Context
This is for a radio that has its own L2/L1 used for RF transmission. It is guaranteed placement in a system at the edge of a network and the only packets it receives over its Ethernet interface are to go out over RF. The interface to the L2 used in the RF chain is a DMA that I built a network interface for (m0) because I thought it would simplify connecting it to the Ethernet interface. All of the L2/L1 used for M0 is an FPGA implementation shuffling packets over the m0 DMA.
From the point of view of systems sending/receiving packets from the radio, the radio is basically supposed to look like a wire; packet in, packet out.
[eth rx frame]->[??forward to m0??]->[m0 places pkt in dma for l2 chain]->[frame (L2),mod,out to rf]
[rf,demod,deframe(L2)]->[m0 rx pkt creates skb]->[??forward to eth0??]->[eth0 rx skb transmits ethernet frame]
The radio is full duplex, it should be able to perform the transmit and receive simultaneously. That is get packets from the Ethernet and transmits them over rf as well as receive packets over rf and send them back out to the Ethernet.
I can place and recover packets into the RF chain using normal socket code through m0 no problem. I just can’t figure out how to forward all traffic between the interfaces without touching the packets or opening the interfaces in promiscuous and doing it manually in C code (which as described earlier has its own bag of worms).
iptables FORWARD and INPUT
I have a home network with Linux pc’s, which all had iptables running. I think it is easier to put my LAN behind a Linux gateway/firewall, so I’ve put a pc (with fedora,no gui) between my router and LAN and configured iptables. No problem here, INPUT only allows dns an http (and some local stuff), forwarding works fine: LAN connects to internet. But my question is: does FORWARD allows all from the outside, or only the ports I configured with INPUT? Do FORWARD and INPUT work together or are they separate? This is my iptables:
*nat :PREROUTING ACCEPT [16:1336] :INPUT ACCEPT [14:840] :OUTPUT ACCEPT [30:2116] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o p1p1 -j MASQUERADE COMMIT # Completed on Tue Oct 16 09:55:31 2012 # Generated by iptables-save v1.4.14 on Tue Oct 16 09:55:31 2012 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [91:9888] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p UDP --dport 53 -j ACCEPT -A INPUT -p TCP --dport 53 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i p1p1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i p1p1 -p tcp -m multiport --dports 20,21,443 -j DROP -A INPUT -i p1p1 -p tcp --dport 5000:5100 -j DROP -A INPUT -i p1p1 -p icmp -m icmp --icmp-type 8 -j DROP -A FORWARD -s 192.168.2.0/24 -j ACCEPT -A FORWARD -d 192.168.2.0/24 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A OUTPUT -j LOG --log-prefix "denied out: " COMMIT
How to forward traffic using iptables rules?
I am new to iptables and I have been doing Google searches for a few days now without finding a good solution to this problem. I have computer A with a public ip address (say 192.0.2.1) that can access the Internet unrestricted. I have another computer B with a private ip address (192.168.1.1) that can only access computer A. How do I use iptables to forward network traffic from B through A to the Internet? I need to use http, ftp, and https in order to use apt-get with sudo. Both computers run Ubuntu linux. I have tried using Squid but I think it is far too complicated for what I need to do.
I am not an expert on iptables., but it’s a firewall, and afaik not a router or switch, so AFAIK it wouldn’t say If X then go to this computer. It would say If X then ACCEPT/DROP. Perhaps it may though, there are large features I haven’t examined, but.. Is there anything that makes you think it would?
I’ve seen articles like the one below where iptables is doing something similar but not quite the same problem.
@ProbablePattern yeah it looks like iptables might be able to.. There is -j REDIRECT that may just be local.. but there’s -j DNAT which is used here askubuntu.com/questions/28516/…
Regarding your question, the ‘forwarding’ from private IP comp to public IP comp that you speak of wouldn’t be done by iptables. I think iptables would run on the public IP comp, give it an additional private IP(on another interface) . And the private one would have a route set up to the NAT computer. So that forwarding isn’t done by iptables.
5 Answers 5
I think this will do what you want, assuming that the network is like this:
Internet Computer A Computer B
Notes:
is the interface (like eth0 , p1p1 , etc) that is connected to the Internet on Computer A. is the interface on Computer A that is connected to Computer B.
These commands need to be run as root (in su — ) on Computer A (the one with Internet access).
EXT= INT= echo 1 > /proc/sys/net/ipv4/ip_forward #Tell the system it is OK to forward IP packets iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE iptables -A FORWARD -i $EXT -o $INT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $INT -o $EXT -j ACCEPT ip addr show $INT
In the output of the ip addr command, find the line that starts with inet (or inet6 if you are using IPv6). Use the IP address on that line in the following command, as root, on Computer B:
Now, see if it works by running ping google.com on Computer B, or simply by attempting to load a web page in the browser.
If you want to save the changes on Computer A, run these commands as root:
apt-get install iptables-persistent /etc/init.d/iptables-persistent save
Now I don’t know exactly how to restore the saved rules on boot, can anybody else suggest something? It should work to do /etc/init.d/iptables-persistent reload (as root) every time after you boot, but that would be a pain.
To make Computer B always use Computer A as the default gateway would require installing DHCP on Computer A, which I don’t want to go into in this answer.
How forward packets from network interface to another
My problem is forward packets from eth2 that is my LAN to eth1 that has access to internet, to allow eth2 to access to internet, here my configuration:
auto eth1 iface eth1 inet static address 192.168.3.1 netmask 255.255.255.0 network 192.168.3.0 broadcast 192.168.3.255 gateway 192.168.3.254 auto eth2 iface eth2 inet static address 10.101.26.1 netmask 255.255.0.0 network 10.101.0.0 broadcast 10.101.255.255
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
Already uncomment net.ipv4.ip forward=1 in /etc/sysctl.conf and write 1 in /proc/sys/net/ipv4/ip_forward. If i test with a PC connected on LAN that have as gateway 10.101.26.1 I can’t reach internet, so how I can solve this? Thank you for any help! Regards
If you have a PC behind eth1, it must be on the same subnet as eth1, and the default gateway must be eth1’s IP, not eth2’s IP.
2 Answers 2
You’ll need some sort of masquerading statement. The reason behind this is that, currently, packets arriving from eth2 to eth1 are identified by 10.101.0.0/16 addresses. Those 10.101.0.0/16 packets then attempt to traverse the network via eth1 (192.168.3.0/24). This fails because those packets haven’t yet been masqueraded as packets from 192.168.3.1.
A little script like this below should help. Modify as necessary:
#! /bin/bash IPTABLES=/sbin/iptables WANIF='eth1' LANIF='eth2' # enable ip forwarding in the kernel echo 'Enabling Kernel IP forwarding. ' /bin/echo 1 > /proc/sys/net/ipv4/ip_forward # flush rules and delete chains echo 'Flushing rules and deleting existing chains. ' $IPTABLES -F $IPTABLES -X # enable masquerading to allow LAN internet access echo 'Enabling IP Masquerading and other rules. ' $IPTABLES -t nat -A POSTROUTING -o $LANIF -j MASQUERADE $IPTABLES -A FORWARD -i $LANIF -o $WANIF -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $WANIF -o $LANIF -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $WANIF -j MASQUERADE $IPTABLES -A FORWARD -i $WANIF -o $LANIF -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $LANIF -o $WANIF -j ACCEPT echo 'Done.'