Iptables FORWARD chain traffic not seen by tcpdump
To listen specifically to the forwarded traffic, it is better to create a nflog rule/interface.
So you will create a nflog interface:
sudo iptables -t filter -I FORWARD -j NFLOG --nflog-group 6
and then listen to it:
sudo tcpdump -s 0 -n -i nflog:6
The solution to the problem, is to use the nflog interface in the iptables framework, to get exactly the packets we are interested in.
nflog rules log to a kernel internal multicast group, which is identified by an integer in the 0 - 2^16-1 range. Only the part of the datagram that the framework sees will be captured. For iptables that is an IPv4 packet.
Using nflog to dump packets forces you to use a special interface syntax for tcpdump and wireshark. You must use nflog:groupnumber as interface.
Because nflog rules are normal iptables rules, the rules need a proper match and target part so you get exactly the traffic you want. You also must put the rule into the correct place for it to get the packets you're interested in.
Related videos on Youtube
23 : 20
02 : 30
34 : 05
31 : 02
02 : 06
02 : 11
23 : 39
Matan Levy
Updated on September 18, 2022Comments
-
Matan Levy over 1 year
I have a bare metal running Ubuntu server 16.04 with KVM and 3 NIC's that are connected by bridges br1, br2 and br3 to a guest VM running also Ubuntu server 16.04.
The first NIC - br1 - is connected to the internet and it's router address is defined as the default gateway for the guest.
I have a code running on my guest that needs to listen to the packets received by br2 and br3, the code should listen to 1 NIC only,
I tried forwarding the traffic from en2 (the name of the guest NIC that is bridged via br2) to en3 (the same with br3) by following this:
sudo nano /etc/sysctl.conf uncomment net.ipv4.ip_forward = 1 sudo sysctl -p sudo iptables -t nat -A POSTROUTING --out-interface en3 -j MASQUERADE sudo iptables -A FORWARD --in-interface en2 --out-interfac en3 -j ACCEPTYet there is nothing recorded when using
sudo tpcdump -i en3and send a ping message to NIC2 (while if I runsudo tpcdump -i en2i can see the ping messages)What am I missing here? Is there a better way for me to get my desired result (that my code will listen to 1 NIC and get both NIC's trafic) ?
-
Matan Levy over 7 yearshi, seems like i am still missing something, i tried running those 2 commands and could not get ping packets when listening as you wrote, i tried adding to the first command '--in-interface en2' and still cant get see the ping packates
-
Rui F Ribeiro over 7 years@MatanLevy It might be a better way, out of home, will get back to you tomorrow