forward packets from one interface to another interface using iptables

34,845

@Mike: Flush ALL rules/tables and start with just the basics to ensure you can nat between networks.

echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 10.0.0.0/16 dev m0
iptables -t nat -A POSTROUTING -o m0 -j MASQUERADE

In my eyes, this should route and masquerade all 10.0.x.x traffic to m0 regardless of ip addressing. If successful, build on this based on the needs of your network.

Share:
34,845

Related videos on Youtube

mikec
Author by

mikec

Updated on September 18, 2022

Comments

  • mikec
    mikec about 1 year

    I have an embeded system with 2 interfaces e0 and m0, whose ips are 10.0.0.20 and 192.168.0.20, respectively. Incoming packets into e0 have an ip of 10.0.0.10 and should be forwarded to m0 interface to external server whose ip is 10.0.0.30. Also, the returning traffic into m0 should be returned to e0.

    I tried to forward packets with these commands:

    route add -net 10.0.0.0/16 dev m0
    iptables -t nat -A PREROUTING -d 10.0.0.30 -j DNAT --to-destination 192.168.0.20
    iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j SNAT --to-source 10.0.0.20
    

    I did tcpdump at m0 but don't see anything going out.

    Can you tell me what I am missing? Thank you in advance.

    1: lo: <LOOPBACK> mtu 65536 qdisc noop  
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    
    2: e0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000
        link/ether 00:a0:c9:00:00:00 brd ff:ff:ff:ff:ff:ff
        inet 10.0.0.20/24 brd 10.0.0.255 scope global e0
           valid_lft forever preferred_lft forever
        inet6 fe80::2a0:c9ff:fe00:0/64 scope link
           valid_lft forever preferred_lft forever
    
    3: m0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000
        link/ether 00:aa:bb:cc:dd:44 brd ff:ff:ff:ff:ff:ff
        inet 192.168.0.20 brd 192.168.0.255 scope global m0
           valid_lft forever preferred_lft forever
        inet6 fe80::2aa:bbff:fecc:dd44/64 scope link
           valid_lft forever preferred_lft forever
    
    4: bcm: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000
        link/ether 00:a0:c9:00:00:03 brd ff:ff:ff:ff:ff:ff
        inet6 fe80::2a0:c9ff:fe00:3/64 scope link
           valid_lft forever preferred_lft forever
    5: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
        link/ether 80:3f:5d:09:7f:4b brd ff:ff:ff:ff:ff:ff
    
    6: e0.1@e0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
        link/ether 00:a0:c9:00:00:00 brd ff:ff:ff:ff:ff:ff
        inet 127.3.0.254/24 brd 127.3.0.255 scope global e0.1
           valid_lft forever preferred_lft forever
        inet6 fe80::2a0:c9ff:fe00:0/64 scope link
           valid_lft forever preferred_lft forever
    
    
    [0.1.10] pad# ip rule show
    0:      from all lookup local
    32766:  from all lookup main
    32767:  from all lookup default
    
    [0.1.10] pad# ip ro show
    default via 192.168.0.20 dev m0
    10.0.0.0/24 dev m0
    10.0.0.0/24 dev e0  src 10.0.0.20
    127.3.0.0/24 dev e0.1  src 127.3.0.254
    192.168.0.0/24 dev m0  src 192.168.0.20
    
    0.1.10] pad# iptables -L -vn
    Chain INPUT (policy ACCEPT 1480 packets, 186K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 914 packets, 158K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    
    0.1.10] pad# iptables -t nat -L -vn
    Chain PREROUTING (policy ACCEPT 258 packets, 51912 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DNAT       all  --  *      *       0.0.0.0/0            10.0.0.30        to:192.168.0.20
        0     0 DNAT       all  --  *      *       0.0.0.0/0            10.0.0.30        to:192.168.0.20
        0     0 DNAT       all  --  *      *       0.0.0.0/0            10.0.0.30        to:192.168.0.20
    
    Chain INPUT (policy ACCEPT 258 packets, 51912 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 13 packets, 876 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain POSTROUTING (policy ACCEPT 13 packets, 876 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 SNAT       all  --  *      *       10.0.0.0/16          0.0.0.0/0       to:10.0.0.20
        0     0 SNAT       all  --  *      *       10.0.0.0/16          0.0.0.0/0       to:10.0.0.20
    
    • wurtel
      wurtel over 8 years
      It doesn't make sense that the packet should be forwarded towards 10.0.0.30 through an interface that has an IP address of 192.168.0.20 while the other interface is 10.0.0.20. Please edit the question to include the output of the following commands: ip a show; ip ro show; ip rule show; iptables -L -vn; iptables -t nat -L -vn
    • mikec
      mikec over 8 years
      hi wurtel, ok edited the question with the info you requested. i assigned e0 and m0 to have same subnet as external server (10.0.0.30) thinking that it might make things easier? the ip of m0 is fixed and i can't change that but can change the other ips. i found a way to send packet from device on e0 interface to external server on m0 interface by bridging e0 and m0 but i would like to see if it's possible to do this with iptables. maybe it's not??
    • wurtel
      wurtel over 8 years
      The thing is that as your e0 interface has a 10.0.0.0/24 network, packets from 10.0.0.10 to 10.0.0.30 will not be routed through your system and out of the m0 interface. Your system will at most send 10.0.0.10 an ICMP redirect packet, telling it to directly send the packet towards 10.0.0.30 instead of towards 10.0.0.20. Actually I expect that 10.0.0.10 won't even try to send it through 10.0.0.20. You would need to set a host route on the 10.0.0.10 system for 10.0.0.30 via 10.0.0.20, and on 10.0.0.20 a host route for 10.0.0.30 via device m0; that might work.
    • YoMismo
      YoMismo over 8 years
      Have you enabled forwarding? cat /proc/sys/net/ipv4/ip_forward should return 1.
    • mikec
      mikec over 8 years
      yes i have enabled forwarding. so far, nothing has worked, so i htink i wll do bridging instead. thank you everyone for your help.
  • Paulo
    Paulo almost 2 years
    I have this same problem, with instead of m0 (at the route command), I set e0 and it worked.