forward packets from one interface to another interface using iptables
34,845
@Mike: Flush ALL rules/tables and start with just the basics to ensure you can nat between networks.
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 10.0.0.0/16 dev m0
iptables -t nat -A POSTROUTING -o m0 -j MASQUERADE
In my eyes, this should route and masquerade all 10.0.x.x traffic to m0 regardless of ip addressing. If successful, build on this based on the needs of your network.
Related videos on Youtube
Author by
mikec
Updated on September 18, 2022Comments
-
mikec about 1 year
I have an embeded system with 2 interfaces e0 and m0, whose ips are 10.0.0.20 and 192.168.0.20, respectively. Incoming packets into e0 have an ip of 10.0.0.10 and should be forwarded to m0 interface to external server whose ip is 10.0.0.30. Also, the returning traffic into m0 should be returned to e0.
I tried to forward packets with these commands:
route add -net 10.0.0.0/16 dev m0 iptables -t nat -A PREROUTING -d 10.0.0.30 -j DNAT --to-destination 192.168.0.20 iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j SNAT --to-source 10.0.0.20
I did tcpdump at m0 but don't see anything going out.
Can you tell me what I am missing? Thank you in advance.
1: lo: <LOOPBACK> mtu 65536 qdisc noop link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: e0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000 link/ether 00:a0:c9:00:00:00 brd ff:ff:ff:ff:ff:ff inet 10.0.0.20/24 brd 10.0.0.255 scope global e0 valid_lft forever preferred_lft forever inet6 fe80::2a0:c9ff:fe00:0/64 scope link valid_lft forever preferred_lft forever 3: m0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000 link/ether 00:aa:bb:cc:dd:44 brd ff:ff:ff:ff:ff:ff inet 192.168.0.20 brd 192.168.0.255 scope global m0 valid_lft forever preferred_lft forever inet6 fe80::2aa:bbff:fecc:dd44/64 scope link valid_lft forever preferred_lft forever 4: bcm: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000 link/ether 00:a0:c9:00:00:03 brd ff:ff:ff:ff:ff:ff inet6 fe80::2a0:c9ff:fe00:3/64 scope link valid_lft forever preferred_lft forever 5: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000 link/ether 80:3f:5d:09:7f:4b brd ff:ff:ff:ff:ff:ff 6: e0.1@e0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue link/ether 00:a0:c9:00:00:00 brd ff:ff:ff:ff:ff:ff inet 127.3.0.254/24 brd 127.3.0.255 scope global e0.1 valid_lft forever preferred_lft forever inet6 fe80::2a0:c9ff:fe00:0/64 scope link valid_lft forever preferred_lft forever [0.1.10] pad# ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default [0.1.10] pad# ip ro show default via 192.168.0.20 dev m0 10.0.0.0/24 dev m0 10.0.0.0/24 dev e0 src 10.0.0.20 127.3.0.0/24 dev e0.1 src 127.3.0.254 192.168.0.0/24 dev m0 src 192.168.0.20 0.1.10] pad# iptables -L -vn Chain INPUT (policy ACCEPT 1480 packets, 186K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 914 packets, 158K bytes) pkts bytes target prot opt in out source destination 0.1.10] pad# iptables -t nat -L -vn Chain PREROUTING (policy ACCEPT 258 packets, 51912 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 10.0.0.30 to:192.168.0.20 0 0 DNAT all -- * * 0.0.0.0/0 10.0.0.30 to:192.168.0.20 0 0 DNAT all -- * * 0.0.0.0/0 10.0.0.30 to:192.168.0.20 Chain INPUT (policy ACCEPT 258 packets, 51912 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13 packets, 876 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 13 packets, 876 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 10.0.0.0/16 0.0.0.0/0 to:10.0.0.20 0 0 SNAT all -- * * 10.0.0.0/16 0.0.0.0/0 to:10.0.0.20
-
wurtel over 8 yearsIt doesn't make sense that the packet should be forwarded towards 10.0.0.30 through an interface that has an IP address of 192.168.0.20 while the other interface is 10.0.0.20. Please edit the question to include the output of the following commands:
ip a show
;ip ro show
;ip rule show
;iptables -L -vn
;iptables -t nat -L -vn
-
mikec over 8 yearshi wurtel, ok edited the question with the info you requested. i assigned e0 and m0 to have same subnet as external server (10.0.0.30) thinking that it might make things easier? the ip of m0 is fixed and i can't change that but can change the other ips. i found a way to send packet from device on e0 interface to external server on m0 interface by bridging e0 and m0 but i would like to see if it's possible to do this with iptables. maybe it's not??
-
wurtel over 8 yearsThe thing is that as your
e0
interface has a 10.0.0.0/24 network, packets from 10.0.0.10 to 10.0.0.30 will not be routed through your system and out of them0
interface. Your system will at most send 10.0.0.10 anICMP redirect
packet, telling it to directly send the packet towards 10.0.0.30 instead of towards 10.0.0.20. Actually I expect that 10.0.0.10 won't even try to send it through 10.0.0.20. You would need to set a host route on the 10.0.0.10 system for 10.0.0.30 via 10.0.0.20, and on 10.0.0.20 a host route for 10.0.0.30 via device m0; that might work. -
YoMismo over 8 yearsHave you enabled forwarding?
cat /proc/sys/net/ipv4/ip_forward
should return 1. -
mikec over 8 yearsyes i have enabled forwarding. so far, nothing has worked, so i htink i wll do bridging instead. thank you everyone for your help.
-
-
Paulo almost 2 yearsI have this same problem, with instead of m0 (at the route command), I set e0 and it worked.