I have 2 eth cards on the same host. Both connected directly with LAN cable.
I set eth0 with ip - 192.168.1.2
I set eth1 with ip - 192.168.1.1
I set this rule:
iptables -A INPUT -p tcp -j NFQUEUE --queue-num 0
There are no other rules. (I ran iptables -X,-F)
I send TCP syn packet ( with c++ program by using raw socket) from 192.168.1.2 to 192.168.1.1
In wireshark i see that the packet received on eth0, but the iptables rule (above) dosnt apply for this packet.
when i sent the packet to remote host and apply this rule on the remote host than it work correct.
So, i guess that this is due to the fact that both eth cards exists the same host.
.
I need to create iptables INPUT rule for local eth card (dest and src on the same machine ). I need it for simplify test.
Did i guess the problem correct? is there a way to bypass this?
Ps – connected them via switch didn't help. the rule wasn't applied.
Run on Ubuntu.
TCDUMP show the packet:
10:48:42.365002 IP 192.168.1.2.38550 > 192.168.1.1.34298: Flags [S], seq 0, win 5840, length 0
but logging of iptables like this, has nothing:
iptables -A INPUT -p tcp -j LOG --log-prefix '*****************'
iptables -A OUTPUT -p tcp -j LOG --log-prefix '#################'
root@test:~# ip ad sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 80:1f:02:2f:d1:bb brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
inet6 fe80::821f:2ff:fe2f:d1aa/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 70:f3:55:0d:ef:31 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth1
inet6 fe80::72f3:95ff:fe0d:ef31/64 scope link
valid_lft forever preferred_lft forever
root@test:~# ip ro sh
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
Best Answer
Make sure that the program listening to the netfilter queue is actually responding. If you say it doesn't work on your server but works on another, then it's because that other server actually have a program responding to that NFQueue.
Also remember that packet sockets (sometime abusively named 'raw socket') are not subject to netfilter, and that the kernel can also drop packets if, e.g. reverse path filtering is enabled and failed for that packet.