Iptables – How to define iptables rule to add all transport to a given interface to nfqueue

iptableslinux-networking

Running on Ubuntu.
I have machine 1 < – > machine 2 < – > machine 3.
I dont know machine 1 or machine 3 ip. It can be any ip.
machine 1 send packet to machine 3 and machine 3 send packet to machine 1.

Machine 2 is used as a bridge:

ifconfig eth0 0.0.0.0
ifconfig eth2 0.0.0.0
brctl addbr br0
brctl addif br0 eth0 eth2
ifconfig br0 up

i want to have an iptable rule in machine 2 that will add all traffic that come to eth0 to nfqueue1 and all traffic that come to eth2 to nefqueue2.

Now i have the following rule:

iptables -A FORWARD -p tcp -j NFQUEUE --queue-num 0

which is not good to me because i want to distinguish between traffic that come from machine 3 to traffic that come from machine 1, so i want to have 2 rule.

Add -i eth0 to the rule doesn’t help.

Best Answer

since you're operating a bridge, you need to use -m physdev

for usage, run iptables -m physdev -h - if you compile your own kernel, you may need to add this module.

Related Solutions

Iptables – suitable chain for iptables when eth is in Promisc mode

Remember that on a network that's connected with Ethernet switches, you won't see most of the data even if the network card is in promiscuous mode unless you have a managed switch with port mirroring.

One way to achieve what you want is to use an arp poisoning tool, such as Ettercap. You should be able to then apply netfilter rules or tcpdump the information you require.

Edit - More detail on request of OP:

From your question it sounds like you wish to snoop on passing network traffic and pass it through iptables.

By using a bridge, you're able to achieve this by sitting between the interesting machines and their gateway, physically, but it sounds like you would like to do in more passive fashion, hence why you're trying to use promiscuous mode on the NICs. Right? (If you don't know, promiscuous mode allows you too see Ethernet frames that were not addressed to your NIC)

The problem you have is that an Ethernet switch is designed so that it learns the MAC addresses on each port and uses this to "route" Ethernet frames to the correct port based on their MAC address. This is to reduce collisions associated with Ethernet hubs (something you rarely see these days). Therefore, you will only see Ethernet frames destined to or originating from your NIC including broadcast Ethernet frames, such as ARP, but not foreign traffic. This is a good thing :)

Most managed switches (not a dumb desktop one) allow you to designate a port mirror so that all Ethernet frames are replicated on a specific port where you can attach a machine in promiscuous mode and capture "foreign" Ethernet frames using tcpdump/Wireshark.

This still won't let them be captured by iptables, however. So you need a way to act as an Ethernet bridge again between the interesting hosts and their gateway but without being physically in the path. Enter Ettercap which is an arp poisoning tool. It tricks your interested hosts (and the switch) that your machine MAC address now owns the IP of the old IP gateway by sending out a "gratuitous arp". The interesting machines will unwittingly send all gateway/default route destined traffic to your machine. Your machine will now forward packets through its IP stack as if it was the gateway.

Where this won't work is when "port security" has been enabled on the switch, a not uncommon practice. This is to stop arp poisoning by blocking gratuitous arps where an IP is moving from one Ethernet port to another.

Linux – iptables to block VPN-traffic if not through tun0

Just add default low priority route for marked packets

ip rule add fwmark 42 table no.out
ip route add blackhole 0.0.0.0 metric 100 table no.out

and than, establishing new vpn connection should setup route for the same Mark, but using lower metric.

Best Answer

Related Solutions

Iptables – suitable chain for iptables when eth is in Promisc mode

Linux – iptables to block VPN-traffic if not through tun0

Related Topic