Iptables rule on INPUT between 2 ethernet cards on the same host

I have 2 eth cards on the same host. Both connected directly with LAN cable.

I set eth0 with ip - 192.168.1.2
I set eth1 with ip - 192.168.1.1

I set this rule:

iptables -A INPUT -p tcp -j NFQUEUE --queue-num 0

There are no other rules. (I ran iptables -X,-F)

I send TCP syn packet ( with c++ program by using raw socket) from 192.168.1.2 to 192.168.1.1

In wireshark i see that the packet received on eth0, but the iptables rule (above) dosnt apply for this packet.
when i sent the packet to remote host and apply this rule on the remote host than it work correct.

So, i guess that this is due to the fact that both eth cards exists the same host.
.
I need to create iptables INPUT rule for local eth card (dest and src on the same machine ). I need it for simplify test.

Did i guess the problem correct? is there a way to bypass this?

Ps – connected them via switch didn't help. the rule wasn't applied.
Run on Ubuntu.

TCDUMP show the packet:

10:48:42.365002 IP 192.168.1.2.38550 > 192.168.1.1.34298: Flags [S], seq 0, win 5840, length 0

but logging of iptables like this, has nothing:

iptables -A INPUT -p tcp -j LOG  --log-prefix '*****************'
iptables -A OUTPUT -p tcp -j LOG  --log-prefix '#################'

root@test:~# ip ad sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 80:1f:02:2f:d1:bb brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::821f:2ff:fe2f:d1aa/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 70:f3:55:0d:ef:31 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth1
    inet6 fe80::72f3:95ff:fe0d:ef31/64 scope link 
       valid_lft forever preferred_lft forever
root@test:~# ip ro sh
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2

Best Answer

Make sure that the program listening to the netfilter queue is actually responding. If you say it doesn't work on your server but works on another, then it's because that other server actually have a program responding to that NFQueue.

Also remember that packet sockets (sometime abusively named 'raw socket') are not subject to netfilter, and that the kernel can also drop packets if, e.g. reverse path filtering is enabled and failed for that packet.

Best Answer

Related Solutions

Iptables – suitable chain for iptables when eth is in Promisc mode

Linux – iptables NAT/Forwarding with external ADSL router; PCs on the network can’t access the internet

Related Topic