How to forward traffic from tunnel interface to eth0

linux networking iptables forwarding tunnel
5,330

Firstly, your FORWARD chain is causing problems. The third rule in it is blocking all FORWARDed traffic that doesn't satisfy the first couple of rules, and judging by the packet counts on the first three rules, the first two aren't matching anything, which means rule 3 is stopping everything.

You have written rules that would permit the traffic you want, but since they come after rule 3, the traffic is never getting to them (first dispositive match wins). When you clear all the rules from your FORWARD chain, and let the ACCEPT policy have effect, traffic flows.

Secondly, you're using a highly restrictive tcpdump incantation to look at the traffic. Specifically, you're looking for traffic with source addresses in 10.10.1.0/24 after FORWARDing - but your nat rules are MASQUERADing this traffic, so tcpdump isn't catching it. When you open up your tcpdump invocation, you see the now-FORWARDed traffic.

Share:
5,330

Related videos on Youtube

David W.
Author by

David W.

Updated on September 18, 2022

Comments

  • David W.
    David W. over 1 year

    Network topology:

    
  Internet
     |
     |
  (eth0) IP: 202.xxx.xxx.xxx/255.255.255.0 
A: Remote_Server(Debian) 
  (tun0) IP: 10.10.1.1/255.255.255.0
     |
     |
  (utun0) IP: 10.10.1.2/255.255.255.0
B:  iOS_Device ( iOS 9 )


Device A: 
a TCP server, listening on 7777 for client(iOS device) connect.

Device B:
an iOS device with WIFI conected to Internet.

    Workflow:

    1. server listening on "0.0.0.0:7777"
    2. client connect to "202.xxx.xxx.xxx:7777" (with username etc)
    3. server check client's username for client auth
    4. server send a tunnel config info to client(eg: 10.10.1.2/24, dns: 8.8.8.8)
    5. client place a new tunnel connect to server
    6. client send network packets(DNS query, HTTPS request, ...) to server via tunnel(and waiting for server's responses)

    Server side logs(after client did connected via tunnel):

    $ sudo ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
      inet addr:10.10.1.1  P-t-P:10.10.1.1  Mask:255.255.255.0
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:500 
      RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
-----------------------------------------------------------
tun0      Link encap:UNSPEC  HWaddr ...
      ...
      RX packets:12 errors:0 dropped:12 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      ...
      RX bytes:742 (742.0 B)  TX bytes:0 (0.0 B)
-----------------------------------------------------------
tun0      Link encap:UNSPEC  HWaddr ...
      ...
      RX packets:25 errors:0 dropped:25 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      ...
      RX bytes:1548 (1.5 KiB)  TX bytes:0 (0.0 B)
-----------------------------------------------------------

    RX bytes: 0 -> 742 -> 1548 bytes

    Now, the problem is:
    On the server side, how to forward the traffic from tun0 to eth0?
    Can somebody help, pls

    Have tried commands below, but seems not working.

    $sudo sysctl net.ipv4.ip_forward
    net.ipv4.ip_forward = 1

$sudo iptables -L -n -v
 Chain INPUT (policy ACCEPT 13472 packets, 4929K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  207 13105 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       10.30.0.0/24         0.0.0.0/0           
  288 18484 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 13436 packets, 5315K bytes)
 pkts bytes target     prot opt in     out     source               destination

$
$sudo iptables -A FORWARD --in-interface tun0 -j ACCEPT
$sudo iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
$

    More logs(the server side):

    $ ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: dummy0@NONE: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default 
    link/ether 8a:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether f2:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 202.xxx.xxx.xxx/24 brd 202.a.b.c scope global eth0
       valid_lft forever preferred_lft forever
    inet6 xxxx:xxxx::xxxx:xxxx:xxxx:xxxx/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 aaaa::bbbb:cccc:dddd:eeee/64 scope link 
       valid_lft forever preferred_lft forever
4: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/void 
5: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default 
    link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default 
    link/gre 0.0.0.0 brd 0.0.0.0
7: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: ip_vti0@NONE: <NOARP> mtu 1428 qdisc noop state DOWN group default 
    link/ipip 0.0.0.0 brd 0.0.0.0
9: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default 
    link/tunnel6 :: brd ::
10: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default 
    link/sit 0.0.0.0 brd 0.0.0.0
11: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default 
    link/tunnel6 :: brd ::
12: ip6gre0@NONE: <NOARP> mtu 1448 qdisc noop state DOWN group default 
    link/gre6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
175: tun0@NONE: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.10.1.1/24 scope global tun0
       valid_lft forever preferred_lft forever

    $ ip ro show
default via 202.xxx.xxx.1 dev eth0 
10.10.1.0/24 dev tun0  proto kernel  scope link  src 10.10.1.1 
202.xxx.xxx.0/24 dev eth0  proto kernel  scope link  src 202.xxx.xxx.xxx     

    $ ip rule show
0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default

    $ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 1291 packets, 198K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   87  5541 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       10.30.0.0/24         0.0.0.0/0           
  168 10829 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1230 packets, 300K bytes)
 pkts bytes target     prot opt in     out     source               destination         

    $ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 1312 packets, 201K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   87  5541 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       10.30.0.0/24         0.0.0.0/0           
  169 10900 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1258 packets, 311K bytes)
 pkts bytes target     prot opt in     out     source               destination 

    $ sudo iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 111 packets, 6908 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 68 packets, 4153 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 38 packets, 3678 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    10.30.0.0/24         0.0.0.0/0           
 138K 9623K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

    $ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xxxxxx.xxxx     0.0.0.0         UG    0      0        0 eth0
10.10.1.0       *               255.255.255.0   U     0      0        0 tun0
202.xxx.xxx.0   *               255.255.255.0   U     0      0        0 eth0

    $ cat /proc/sys/net/ipv4/ip_forward
1

    Network packets through tunnel(tun0, server side):

    No. Time        Source      Destination                     Protocol    Length  Info
3   4.603031    10.10.1.2   google-public-dns-a.google.com  DNS         59      Standard query 0xc09d A apple.com
4   4.708703    10.10.1.2   google-public-dns-a.google.com  DNS         67      Standard query 0x6f6d A guzzoni.apple.com
...
21  95.530358   10.10.1.2   10.10.1.1                       DNS         75      Standard query 0x850b A 20-courier.push.apple.com
22  104.468535  10.10.1.2   10.10.1.1                       DNS         75      Standard query 0x850b A 20-courier.push.apple.com

    And Frame No.3 in details:

    Frame 3: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface 0
    Interface id: 0 (utun0)
    Encapsulation type: NULL/Loopback (15)
    Arrival Time: Jan  3, 2016 23:40:31.564933000 HKT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1451835631.564933000 seconds
    [Time delta from previous captured frame: 0.614315000 seconds]
    [Time delta from previous displayed frame: 0.614315000 seconds]
    [Time since reference or first frame: 4.603031000 seconds]
    Frame Number: 3
    Frame Length: 59 bytes (472 bits)
    Capture Length: 59 bytes (472 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: null:ip:udp:dns]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Null/Loopback
    Family: IP (2)
Internet Protocol Version 4, Src: 10.10.1.2 (10.10.1.2), Dst: google-public-dns-a.google.com (8.8.8.8)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 55
    Identification: 0x16e2 (5858)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (17)
    Header checksum: 0x89b8 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 10.10.1.2 (10.10.1.2)
    Destination: google-public-dns-a.google.com (8.8.8.8)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 59951 (59951), Dst Port: domain (53)
    Source Port: 59951 (59951)
    Destination Port: domain (53)
    Length: 35
    Checksum: 0xe181 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [Stream index: 0]
Domain Name System (query)
    Transaction ID: 0xc09d
    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        apple.com: type A, class IN
            Name: apple.com
            [Name Length: 9]
            [Label Count: 2]
            Type: A (Host Address) (1)
            Class: IN (0x0001)

    2016-01-04 edited 1:
    After executed command "iptables -F FORWARD":

    $ sudo ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
    inet addr:10.10.1.1  P-t-P:10.10.1.1  Mask:255.255.255.0
    UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
    RX packets:250 errors:0 dropped:250 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:500 
    RX bytes:15845 (15.4 KiB)  TX bytes:0 (0.0 B)

    RX packets:250 errors:0 dropped:250

    $ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 207 packets, 22574 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  258 16411 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 8 packets, 1632 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   578 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          

    $ sudo iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 18 packets, 1056 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 16 packets, 914 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 128 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    10.30.0.0/24         0.0.0.0/0           
 138K 9687K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

    2016-01-04 edited 2:
    client test steps that i did:

    1. client(iOS device) connecting to server.
    2. run tcpdump on server side.
    3. client open an URL: "https://www.apple.com" with Safari.
    4. check the tcpdump logs on server side
    5. check whether client recv a response content from server (should be a HTTP 200 response)

    test result:
    client did send HTTP request and got request timeout(waiting for response timeout).


    tcpdump logs:

    $ sudo tcpdump -i tun0 -s 0 -B 524288 -w ~/tmp/tun0_traffic.pcap
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
^C
98 packets received by filter
0 packets dropped by kernel
58 packets dropped by interface

-----------------------------------------------------------

$ tcpdump -s 0 -n -e -x -vvv -r ~/tmp/tun0_traffic.pcap 
reading from file /home/tube/tmp/tun0_traffic.pcap, link-type RAW (Raw IP)
01:40:03.445148 ip: (tos 0x0, ttl 255, id 2395, offset 0, flags [none], proto UDP (17), length 76)
    10.10.1.2.65368 > 8.8.8.8.53: [udp sum ok] 52854+ A? p02-keyvalueservice.icloud.com. (48)
    0x0000:  4500 004c ...

01:40:07.461931 ip: (tos 0xc0, ttl 64, id 34376, offset 0, flags [none], proto ICMP (1), length 104)
    10.10.1.1 > 10.10.1.2: ICMP 10.10.1.1 udp port 53 unreachable, length 84
    (tos 0x0, ttl 255, id 36211, offset 0, flags [none], proto UDP (17), length 76)
    10.10.1.2.65368 > 10.10.1.1.53: [udp sum ok] 52854+ A? p02-keyvalueservice.icloud.com. (48)
    0x0000:  45c0 0068 ...

    $ sudo tcpdump -i eth0 -s 0 -B 524288 -n src net 10.10.1.0/24 -w ~/tmp/eth0_traffic_from_tun0.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
1 packet received by filter
0 packets dropped by kernel

-----------------------------------------------------------

$ tcpdump -s 0 -n -e -x -vvv -r ~/tmp/eth0_traffic_from_tun0.pcap 
reading from file /home/tube/tmp/eth0_traffic_from_tun0.pcap, link-type EN10MB (Ethernet)
$

    2016-01-04 edited 3:
    New tcpdump logs: ( So many thanks to @MadHatter . )

    sudo tcpdump -i eth0 -s 0 -B 524288 -n -w ~/tmp/eth0_traffic_all.pcap

And read the ~/tmp/eth0_traffic_all.pcap file:
No. Time        Source          Destination     Protocol    Length  Info
51  3.268219    202.xxx.xxx.xxx 8.8.8.8         DNS         69      Standard query 0x4d19 A apple.com
57  3.270244    8.8.8.8         202.xxx.xxx.xxx DNS         117     Standard query response 0x4d19 A apple.com A ...

    The Packets from tun0 forwarding (to eth0) works well! And eth0 did got a response from 8.8.8.8

    • Admin
      Admin over 8 years
      Hi @MadHatter , may I send you an email?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Transparent tunnel between interfaces on remote hosts
How forward packets from network interface to another
How to make all outgoing RST drop
Allow ssh incoming/outgoing and blocking all outgoing besides specific ports
tc on bridge port
Is net.ipv6.conf.all.forwarding=1 equivalent to enabling forwarding for all individual interfaces?
Why are incoming packets on a TAP interface seen with tcpdump but not with iptables?
TCP connect: No route to host
Mirror all traffic from one port to another on localhost using iptables
iptables - how to keep source IP after forwarding?