How to forward traffic from tunnel interface to eth0
Firstly, your FORWARD
chain is causing problems. The third rule in it is blocking all FORWARDed traffic that doesn't satisfy the first couple of rules, and judging by the packet counts on the first three rules, the first two aren't matching anything, which means rule 3 is stopping everything.
You have written rules that would permit the traffic you want, but since they come after rule 3, the traffic is never getting to them (first dispositive match wins). When you clear all the rules from your FORWARD
chain, and let the ACCEPT
policy have effect, traffic flows.
Secondly, you're using a highly restrictive tcpdump
incantation to look at the traffic. Specifically, you're looking for traffic with source addresses in 10.10.1.0/24
after FORWARDing - but your nat rules are MASQUERADing this traffic, so tcpdump
isn't catching it. When you open up your tcpdump
invocation, you see the now-FORWARDed traffic.
Related videos on Youtube
David W.
Updated on September 18, 2022Comments
-
David W. over 1 year
Network topology:
Internet | | (eth0) IP: 202.xxx.xxx.xxx/255.255.255.0 A: Remote_Server(Debian) (tun0) IP: 10.10.1.1/255.255.255.0 | | (utun0) IP: 10.10.1.2/255.255.255.0 B: iOS_Device ( iOS 9 ) Device A: a TCP server, listening on 7777 for client(iOS device) connect. Device B: an iOS device with WIFI conected to Internet.
Workflow:
- server listening on "0.0.0.0:7777"
- client connect to "202.xxx.xxx.xxx:7777" (with username etc)
- server check client's username for client auth
- server send a tunnel config info to client(eg: 10.10.1.2/24, dns: 8.8.8.8)
- client place a new tunnel connect to server
- client send network packets(DNS query, HTTPS request, ...) to server via tunnel(and waiting for server's responses)
Server side logs(after client did connected via tunnel):
$ sudo ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.1.1 P-t-P:10.10.1.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ----------------------------------------------------------- tun0 Link encap:UNSPEC HWaddr ... ... RX packets:12 errors:0 dropped:12 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 ... RX bytes:742 (742.0 B) TX bytes:0 (0.0 B) ----------------------------------------------------------- tun0 Link encap:UNSPEC HWaddr ... ... RX packets:25 errors:0 dropped:25 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 ... RX bytes:1548 (1.5 KiB) TX bytes:0 (0.0 B) -----------------------------------------------------------
RX bytes: 0 -> 742 -> 1548 bytes
Now, the problem is:
On the server side, how to forward the traffic from tun0 to eth0?
Can somebody help, pls
Have tried commands below, but seems not working.
$sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 $sudo iptables -L -n -v Chain INPUT (policy ACCEPT 13472 packets, 4929K bytes) pkts bytes target prot opt in out source destination 207 13105 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 10.30.0.0/24 0.0.0.0/0 288 18484 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 13436 packets, 5315K bytes) pkts bytes target prot opt in out source destination $ $sudo iptables -A FORWARD --in-interface tun0 -j ACCEPT $sudo iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE $
More logs(the server side):
$ ip a show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: dummy0@NONE: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default link/ether 8a:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether f2:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet 202.xxx.xxx.xxx/24 brd 202.a.b.c scope global eth0 valid_lft forever preferred_lft forever inet6 xxxx:xxxx::xxxx:xxxx:xxxx:xxxx/64 scope global valid_lft forever preferred_lft forever inet6 aaaa::bbbb:cccc:dddd:eeee/64 scope link valid_lft forever preferred_lft forever 4: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100 link/void 5: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default link/ipip 0.0.0.0 brd 0.0.0.0 6: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default link/gre 0.0.0.0 brd 0.0.0.0 7: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 8: ip_vti0@NONE: <NOARP> mtu 1428 qdisc noop state DOWN group default link/ipip 0.0.0.0 brd 0.0.0.0 9: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default link/tunnel6 :: brd :: 10: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default link/sit 0.0.0.0 brd 0.0.0.0 11: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default link/tunnel6 :: brd :: 12: ip6gre0@NONE: <NOARP> mtu 1448 qdisc noop state DOWN group default link/gre6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 175: tun0@NONE: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.10.1.1/24 scope global tun0 valid_lft forever preferred_lft forever
$ ip ro show default via 202.xxx.xxx.1 dev eth0 10.10.1.0/24 dev tun0 proto kernel scope link src 10.10.1.1 202.xxx.xxx.0/24 dev eth0 proto kernel scope link src 202.xxx.xxx.xxx
$ ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
$ sudo iptables -L -vn Chain INPUT (policy ACCEPT 1291 packets, 198K bytes) pkts bytes target prot opt in out source destination 87 5541 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 10.30.0.0/24 0.0.0.0/0 168 10829 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1230 packets, 300K bytes) pkts bytes target prot opt in out source destination
$ sudo iptables -L -vn Chain INPUT (policy ACCEPT 1312 packets, 201K bytes) pkts bytes target prot opt in out source destination 87 5541 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 10.30.0.0/24 0.0.0.0/0 169 10900 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1258 packets, 311K bytes) pkts bytes target prot opt in out source destination
$ sudo iptables -t nat -L -vn Chain PREROUTING (policy ACCEPT 111 packets, 6908 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 68 packets, 4153 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 38 packets, 3678 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth0 10.30.0.0/24 0.0.0.0/0 138K 9623K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
$ sudo route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default xxxxxx.xxxx 0.0.0.0 UG 0 0 0 eth0 10.10.1.0 * 255.255.255.0 U 0 0 0 tun0 202.xxx.xxx.0 * 255.255.255.0 U 0 0 0 eth0
$ cat /proc/sys/net/ipv4/ip_forward 1
Network packets through tunnel(tun0, server side):
No. Time Source Destination Protocol Length Info 3 4.603031 10.10.1.2 google-public-dns-a.google.com DNS 59 Standard query 0xc09d A apple.com 4 4.708703 10.10.1.2 google-public-dns-a.google.com DNS 67 Standard query 0x6f6d A guzzoni.apple.com ... 21 95.530358 10.10.1.2 10.10.1.1 DNS 75 Standard query 0x850b A 20-courier.push.apple.com 22 104.468535 10.10.1.2 10.10.1.1 DNS 75 Standard query 0x850b A 20-courier.push.apple.com
And Frame No.3 in details:
Frame 3: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface 0 Interface id: 0 (utun0) Encapsulation type: NULL/Loopback (15) Arrival Time: Jan 3, 2016 23:40:31.564933000 HKT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1451835631.564933000 seconds [Time delta from previous captured frame: 0.614315000 seconds] [Time delta from previous displayed frame: 0.614315000 seconds] [Time since reference or first frame: 4.603031000 seconds] Frame Number: 3 Frame Length: 59 bytes (472 bits) Capture Length: 59 bytes (472 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: null:ip:udp:dns] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Null/Loopback Family: IP (2) Internet Protocol Version 4, Src: 10.10.1.2 (10.10.1.2), Dst: google-public-dns-a.google.com (8.8.8.8) 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 55 Identification: 0x16e2 (5858) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 255 Protocol: UDP (17) Header checksum: 0x89b8 [validation disabled] [Good: False] [Bad: False] Source: 10.10.1.2 (10.10.1.2) Destination: google-public-dns-a.google.com (8.8.8.8) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] User Datagram Protocol, Src Port: 59951 (59951), Dst Port: domain (53) Source Port: 59951 (59951) Destination Port: domain (53) Length: 35 Checksum: 0xe181 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [Stream index: 0] Domain Name System (query) Transaction ID: 0xc09d Flags: 0x0100 Standard query 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries apple.com: type A, class IN Name: apple.com [Name Length: 9] [Label Count: 2] Type: A (Host Address) (1) Class: IN (0x0001)
2016-01-04 edited 1:
After executed command "iptables -F FORWARD":$ sudo ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.1.1 P-t-P:10.10.1.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:250 errors:0 dropped:250 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:15845 (15.4 KiB) TX bytes:0 (0.0 B)
RX packets:250 errors:0 dropped:250
$ sudo iptables -L -vn Chain INPUT (policy ACCEPT 207 packets, 22574 bytes) pkts bytes target prot opt in out source destination 258 16411 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 8 packets, 1632 bytes) pkts bytes target prot opt in out source destination 8 578 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
$ sudo iptables -L -vn -t nat Chain PREROUTING (policy ACCEPT 18 packets, 1056 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 16 packets, 914 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 128 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth0 10.30.0.0/24 0.0.0.0/0 138K 9687K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
2016-01-04 edited 2:
client test steps that i did:- client(iOS device) connecting to server.
- run tcpdump on server side.
- client open an URL: "https://www.apple.com" with Safari.
- check the tcpdump logs on server side
- check whether client recv a response content from server (should be a HTTP 200 response)
test result:
client did send HTTP request and got request timeout(waiting for response timeout).tcpdump logs:
$ sudo tcpdump -i tun0 -s 0 -B 524288 -w ~/tmp/tun0_traffic.pcap tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes ^C 98 packets received by filter 0 packets dropped by kernel 58 packets dropped by interface ----------------------------------------------------------- $ tcpdump -s 0 -n -e -x -vvv -r ~/tmp/tun0_traffic.pcap reading from file /home/tube/tmp/tun0_traffic.pcap, link-type RAW (Raw IP) 01:40:03.445148 ip: (tos 0x0, ttl 255, id 2395, offset 0, flags [none], proto UDP (17), length 76) 10.10.1.2.65368 > 8.8.8.8.53: [udp sum ok] 52854+ A? p02-keyvalueservice.icloud.com. (48) 0x0000: 4500 004c ... 01:40:07.461931 ip: (tos 0xc0, ttl 64, id 34376, offset 0, flags [none], proto ICMP (1), length 104) 10.10.1.1 > 10.10.1.2: ICMP 10.10.1.1 udp port 53 unreachable, length 84 (tos 0x0, ttl 255, id 36211, offset 0, flags [none], proto UDP (17), length 76) 10.10.1.2.65368 > 10.10.1.1.53: [udp sum ok] 52854+ A? p02-keyvalueservice.icloud.com. (48) 0x0000: 45c0 0068 ...
$ sudo tcpdump -i eth0 -s 0 -B 524288 -n src net 10.10.1.0/24 -w ~/tmp/eth0_traffic_from_tun0.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 1 packet received by filter 0 packets dropped by kernel ----------------------------------------------------------- $ tcpdump -s 0 -n -e -x -vvv -r ~/tmp/eth0_traffic_from_tun0.pcap reading from file /home/tube/tmp/eth0_traffic_from_tun0.pcap, link-type EN10MB (Ethernet) $
2016-01-04 edited 3:
New tcpdump logs: ( So many thanks to @MadHatter . )sudo tcpdump -i eth0 -s 0 -B 524288 -n -w ~/tmp/eth0_traffic_all.pcap And read the ~/tmp/eth0_traffic_all.pcap file: No. Time Source Destination Protocol Length Info 51 3.268219 202.xxx.xxx.xxx 8.8.8.8 DNS 69 Standard query 0x4d19 A apple.com 57 3.270244 8.8.8.8 202.xxx.xxx.xxx DNS 117 Standard query response 0x4d19 A apple.com A ...
The Packets from tun0 forwarding (to eth0) works well! And eth0 did got a response from 8.8.8.8
-
Admin over 8 yearsHi @MadHatter , may I send you an email?