How to define iptables rule to add all transport to a given interface to nfqueue

  • Running on Ubuntu. I have machine 1 < - > machine 2 < - > machine 3. I dont know machine 1 or machine 3 ip. It can be any ip. machine 1 send packet to machine 3 and machine 3 send packet to machine 1.

      Machine 2 is used as a bridge:

      ifconfig eth0 0.0.0.0
      ifconfig eth2 0.0.0.0
      brctl addbr br0
      brctl addif br0 eth0 eth2
      ifconfig br0 up
      

      i want to have an iptable rule in machine 2 that will add all traffic that come to eth0 to nfqueue1 and all traffic that come to eth2 to nefqueue2.

      Now i have the following rule:

      iptables -A FORWARD -p tcp -j NFQUEUE --queue-num 0
      

      which is not good to me because i want to distinguish between traffic that come from machine 3 to traffic that come from machine 1, so i want to have 2 rule.

      Add -i eth0 to the rule doesn’t help.

    Answers(110)

    • The ip of the machines is not known its group of machines. – Avihai Marchiano Aug 12 '12 at 13:05

    • N00b for moderator! – Magellan Nov 20 at 19:25

    • I support moderation in moderation. – briantist 2 days ago

      • I've not seen iptables barf like that before when trying to flush. – Tom O'Connor ♦ Apr 2 '12 at 17:18

      • For those who don't get the joke, this is one. review history tells all. – Andrew B Nov 17 at 21:03

      • A notably high quality contributor. +1 – BlueCompute Nov 18 at 10:40

        • This is potentially off-topic, but it's what I did after I found this post! For some use cases the iptables -D option might be useful. Since it allows you to clear out referring rules added programmatically with -A (if you know precisely how you added them).

          E.g

              iptables -N MYCHAIN
              iptables -A INPUT -i interface -j MYCHAIN
              iptables -A MYCHAIN -j ACCEPT
          

          can be reversed with

             iptables -D INPUT -i interface -j MYCHAIN
             iptables --flush MYCHAIN
             iptables -X MYCHAIN
          

        • That's good, but this role is for moderating, not answering. – Cristian Ciupitu 15 hours ago

        • @TheCleaner Probably so. Doesn't hurt to go through the process anyway. :) – Nathan C Nov 19 at 15:01

        • Your moderate voice is a nice change from the calls of "GET OUT OF OUR SITE NOOBS". I've held the view for a long time that being exclusive is not always the right course. – Mark Henderson ♦ Nov 20 at 21:20

        • Something along these lines will get all of them in a single line without taking iptables down in any way.

          for chain in `iptables -L |grep i_XXXXX_i|awk '{ print $2 }'`; do iptables -X $chain; done
          
          • You need two steps, but this does it in one command.

              Create a file, and place this in it.

              # Empty the entire filter table
              *filter
              :INPUT ACCEPT [0:0]
              :FORWARD ACCEPT [0:0]
              :OUTPUT ACCEPT [0:0]
              COMMIT
              

              Save the file as "clear-all-rules". Now, do this command:

              iptables-restore < clear-all-rules
              

              Now you can clear it anytime with just one command.

              • since you're operating a bridge, you need to use -m physdev

                for usage, run iptables -m physdev -h - if you compile your own kernel, you may need to add this module.

                • I notice that you have stood for almost every election, and generally not gotten past the nomination stage. What do you intend to do differently this time? – Journeyman Geek Nov 18 at 1:15

                  • While I am tempted to think this is nothing more than a periodic troll, let's give you the benefit of the doubt. Could you elaborate on what bearing this statement has on anything to do with moderation (or Server Fault) for that matter: "I'll push for a bloody revolution to oust the oppressive overlords who cower behind intellectual property and closed source.". I will politely point out that the vast majority of the internet is run by "closed source" embedded systems called routers and firewalls. Aside from that, a bloody revolution is hardly motivating for my vote. – Mike Pennington Nov 20 at 10:55

                  • @Doorknob: I dont think that you, as someone with zero participation in this site, are in a position to make such recommendations. – Sven 19 hours ago

                  • I've just read it and it's not bad. – Cristian Ciupitu 3 hours ago

                  • +1 for Calimero! – ring0 Nov 18 at 6:32

                    • @Shog9 That reputation comes from whiny illiterates who don't like that they get down voted for bashing their keyboards randomly and trying to pass the output off as a question on this site, so ServerFault's reputation for snarky helpfulness is unfair, and unwarranted. On the other hand, I actually am snarky, cruel and very good at offering profoundly unhelpful help. Either way, I'm hardly proposing status quo, as none of that has been practiced by our moderators, who have demurred to the official Stack Exchange policy of pink fluffy niceness to the hordes of jackasses shitting on the site. – HopelessN00b Nov 20 at 19:01

                    • Here's an alternate plan. It involves three commands, not one, but with luck, it should work.

                      Dump your iptables ruleset to a file:

                      iptables-save > /tmp/iptables.txt
                      

                      Remove ALL uses of (and references to) the offending chain:

                      sed -i '/i_XXXXX_i/d' /tmp/iptables.txt
                      

                      Then reload the ruleset:

                      iptables-restore < /tmp/iptables.txt && rm /tmp/iptables.txt
                      
                    • @StevenMonday why not write as answer, this is the most useful one (alternative do this via file and edit file). Only thing it does not remove is complete tables ("raw" anyway) – nhed Mar 7 at 0:56

                    • This is the type of voice we need on the mod-staff. – sysadmin1138 ♦ 2 days ago

                    • @Shog9 True, we are just begging to be flooded by crap, what with all the statements about how this is a professional community... by simply existing on the internet... whatever makes the hordes of stupid our fault. But this is where I have a novel idea... deal with the stupid by not tolerating it. Crack down on it, rather than the SE policy of trying to change stupid by pink fluffy happiness and positive thought energy, or whatever, if anything, the strategy is. I know I don't have to tell you how the SF (and even SO and SE) communities are declining under the unabated load of inbound st00pid – HopelessN00b Nov 20 at 19:11

                    • Right, and I'm suggesting that you use the source ip address to distinguish machine 1 from machine 3 (I'm not suggesting blocking traffic). You would need two rules in your FORWARD chain instead of 1... – larsks Aug 12 '12 at 12:54

                    • yeah, you'd get my vote also. – Sirex Nov 20 at 22:56

                    • For the record, last year's nomination . – EEAA Nov 18 at 13:20

                      • @EEAA Re: the rest of your question; The most experience I have here is upvoting when something appears to contribute to the conversation, and sparingly downvoting. I am a stickler for technical detail, and do my best to adhere to policies and practices set-forth by the other moderators. In all honestly, I think you would make a decent Moderator. You've been here for half a decade, and obviously have benefited from the site. – Signal15 Nov 19 at 18:18

                      • Oh, you don't have to tell me - I've been here before. Of course it's always someone else's fault. Keep digging, and good luck to ya... – Shog9 ♦ Nov 20 at 19:06

                      • @EvanCarroll - as one of the first users to have been a moderator I'm genuinely interested in what new and different you'd aim bring to the moderation of the site. There's often a lot of intelligence behind humour, I'd like a glimpse of it. – Chopper3 Nov 18 at 8:34

                      • Always very sane and quality feedback, +1 from me – Hrvoje Špoljar 2 days ago

                      • No . All trafic allowed but i need to distinguish between traffic from machine 1 to machine 3 – Avihai Marchiano Aug 12 '12 at 12:32

                      • I think you may have otherwise been an excellent choice, but I think you've got a tough contender above. – Evan Carroll Nov 17 at 20:53

                        • Please, go to chat for all the name-calling and mud-wrestling business. – the-wabbit 2 days ago

                        • Can you just add a -s specifier? – larsks Aug 12 '12 at 12:20

                        • @timy StevenMonday's comment will single-pass remove any references to the chain. Perhaps not ideal, but darned close. – Jeff Ferland Apr 3 '12 at 13:20

                        • You have barely moderated with only 2 flags, so how have you lead by example until now? – Cristian Ciupitu 23 hours ago

                        • Personally in times of adversity i tend to want to shy away from holders of extreme viewpoints. Like, isn't that how wars start ? – Sirex 2 hours ago

                        • Why, he can do smileys, and mod-hammer stupid posts while he does smileys... – MadHatter Nov 20 at 16:29

                        • I think you'd be an excellent choice here. – TheCleaner Nov 17 at 20:40

                        • @ChrisS I'm usually still up 'way past midnight local time, so I cover at least 0800-1000UTC – Ward Nov 17 at 21:40

                        • @meagar that's not how an election works. You vote. You don't just remove someone from the running because you don't like them. Let's have a legitimate election, ok? This is not a sockpuppet. I've been phone verified by StackExchange minions already. I've proven myself. – Evan Carroll Nov 17 at 21:34

                          • It seems like every time I'm in the review queues, you're in there, too. +1 – Katherine Villyard Nov 19 at 2:45

                          • Try this: iptables-save | grep -v i_XXXXX_i | iptables-restore – Steven Monday Apr 2 '12 at 19:01

                          • @CristianCiupitu Did you read my post about rtfm – F. Hauri 15 hours ago

                          • @Signal15 - I wish I had the time to devote to it. – EEAA Nov 19 at 20:29

                          • Your answers on SF are thoughtful and insightful. I should hope ServerFault can find its balance. You would have my vote. – jscott Nov 20 at 18:59

                            • generating the levels of straight-up vitriol that y'all do. I don't think that's true any more. Over the past several months there have been fewer "you guys are mean" complaints on meta and in comments. I think we have been closing crappy posts w/out engaging, and if SE has any suggestions on what else to do, I'm sure we'd all like to hear them... – Ward Nov 20 at 19:56

                              • Right, and I'm suggesting that you use the source ip address to distinguish machine 1 from machine 3 (I'm not suggesting blocking traffic). You would need two rules in your FORWARD chain instead of 1... – larsks Aug 12 '12 at 12:54

                              • Back when I was UTC-8, going much past midnight gets into Europe-time very easily. – sysadmin1138 ♦ Nov 17 at 21:49

                              • Just because you're not personally moved to vote for me doesn't mean that I have to reform my campaign platform. – Evan Carroll Nov 20 at 20:08

                                • It's "Stack Exchange", not "StackExchange". – Nathan Osman Nov 18 at 0:44

                                • @EEAA I am not under the mistaken impression that the SE family of sites are forums, I simply stated that I have experience moderating other forums in the past. The expectations here are not radically different from what I've experienced and read-up on. – Signal15 Nov 18 at 22:02

                                  • @Sven Yes, it's true that I don't have much (or any) experience with SF specifically. However, it's important to note that all Stack Exchange sites are moderated by their communities, and someone who doesn't make use of the moderation tools provided to "mortals" (non-♦s) probably isn't going to make a great moderator, either. (Not to imply that Signal15 here isn't ever going to become a moderator, just that to be a moderator, it would be beneficial for one to have had previous experience with the tools provided to them.) – Doorknob 11 hours ago

                                  • @MarkHenderson If wanting to answer good, well researched questions without having to wade through a sea of crap to find them is elitist then yeah that's me. – Iain yesterday

                                    • @Wars A vote for n00b is a vote for a winter of discontent! :) Now is the winter of our discontent / Made glorious summer by the HopelessN00b dork , to quote Shakespeare. – HopelessN00b Nov 20 at 15:58

                                    • I just want to find a way to delete the chain(has many '-j CHAINTODELETE' ref rules) directly, but from your answer, it seems impossible :( – timy Apr 3 '12 at 10:11

                                    • Ah, that wasn't clear. – larsks Aug 12 '12 at 13:06

                                    • Someone else I can endorse without reservation. – Michael Hampton ♦ Nov 19 at 4:45

                                    • @Signal15 OK, what about the rest of my question? – EEAA Nov 18 at 22:23

                                    • Evan Carroll is a parody account of himself , this is not a serious nomination, please don't engage him . Can we ban Evan during the election so he doesn't continually spam other nominations trying to get people to pay attention to him, as is already happening on the other nomination? – meagar Nov 17 at 21:06

                                    • With no meta participation, no flags, no reviews, and seemly relatively low moderation-related activity in general, I don't think you'd make a very good moderator. Maybe next time, though! – Doorknob 2 days ago

                                    • Wow, you're all crazy. I for one do not endorse Hopelessnoob as a mod for reasons that @Shog9 has mentioned. I put this nomination in the same bucket as Evan Carrols'. – Mark Henderson ♦ Nov 20 at 21:45

                                    • Could you please speak a little about the low helpful flag's count? Thx! – Colyn1337 Nov 17 at 21:07

                                      • since you're operating a bridge, you need to use -m physdev

                                          for usage, run iptables -m physdev -h - if you compile your own kernel, you may need to add this module.

                                        • blimey shog9. You nailed that one pretty spot on. – Sirex Nov 20 at 19:21

                                        • 10x i will test it tommorow. Why -i interfacename dosnt work ? – Avihai Marchiano Aug 12 '12 at 16:44

                                        • You've got my vote. – Glueon Nov 18 at 15:25

                                        • @CristianCiupitu I've only posted 30 answer, there on ServerFault. But please, have a look on some of them. If I'm convinced to not be helpful, I prefer to stay silently. – F. Hauri 17 hours ago

                                        • Would you still be interested in moderating under these guidelines ? – Shane Madden ♦ 2 days ago

                                        • @Colyn1337 This user is a troll; he's not actually trying to be elected. – Doorknob 2 days ago

                                          • And don't mind Shog9. He's said before that every question has been asked before anyway, and the logical end of that is just shutting the place down and walking away anyway. N00b for Quality Questions, not just Eyeballs and Clicks! – Magellan Nov 20 at 19:29

                                          • You have my vote too thanks for nominating. – Iain Nov 18 at 6:03

                                          • I'm not sure if you're being serious or not. I am no community leader, I have never claimed to be a community leader. I am on meta every day, but because virtually all meta activity happens outside my timezone, I come, I read, I vote. Everything is already answered. I don't just throw my voice out to create more noise. How would you know what mods are doing? This kind of elitist attitude is why I do not want you back as a moderator. – Mark Henderson ♦ Nov 20 at 22:47

                                            • +1 for brighter ServerFault tomorrow! – masegaloeh Nov 20 at 7:45

                                            • I think you'd do a good job. But I think your timezone is already oversaturated with mods. – TheCleaner Nov 19 at 14:44

                                              • I don't even know what you mean by that comment. What I want to know is why you've decided to make a comeback given that you've retired in the past? What makes you think that you won't just retire again in a year or two? Nobody expects a moderatorship to be a lifelong commitment, but to have two sucks of the sav, it better be a good reason to vote for you over someone else. – Mark Henderson ♦ Nov 20 at 21:42

                                                • You have my vote +1 – Hrvoje Špoljar Nov 19 at 20:37

                                                • 14 votes is less than 1 a month so I'd say 'sparingly' was a good description of your whole (voting) record. – Iain Nov 19 at 18:26

                                                • You can't delete chains when rules with '-j CHAINTODELETE' are referencing them. Figure out what is referencing your chain (the link), and remove that. Also, flush then kill.

                                                  -F, --flush [chain]

                                                  Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

                                                  -X, --delete-chain [chain]

                                                  Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

                                                  • Of course it's always someone else's fault. you're right @shog9. That Stack Exchange employee that moved a post here the other day despite knowing nothing about this site who got the hump when called on it? Totally our fault... Not sure how but I eagerly await an explanation as to why. Perhaps there should be a "stack exchange tv" movie about it. – RobM Nov 20 at 20:19

                                                  • because the incoming interface is considered to be the bridge interface ( br0 ), not the bridge port. – Olipro Aug 12 '12 at 20:18

                                                  • You'll get my vote (again) unless we get some geographically better positioned candidates. – Iain Nov 17 at 21:50

                                                  • @Ward Not to mention fewer of, and less participation from "us guys" that once made up the core of the community. So even there really was a problem with the Server Fault regulars being big meanies, it wouldn't be a problem, because there are less and less of them, and they're participating less and less too. – HopelessN00b Nov 20 at 20:08

                                                  • It kinda sounds like you've correctly identified the problem, and then... Arrived at the status quo as the solution. Let's face it: as a community, your reputation for cruelty, snark, and general unhelpfulness is unmatched - even Programmers, which attracts far fewer questions per day and rejects nearly all of them, doesn't come close to generating the levels of straight-up vitriol that y'all do. And so, upon observing that the only folks willing to still come here are utterly lost and desperate, your solution is... youtube.com/watch?v=0VjPNKc0VsU – Shog9 ♦ Nov 20 at 18:50

                                                  • Yeah, screw the "Summer of Love," we need a Harsh Winter! – Ward Nov 20 at 15:51

                                                  • iptables -A FORWARD -m physdev --physdev-in eth0 .... work!!!! great!!! – Avihai Marchiano Aug 13 '12 at 7:15

                                                  • You got my vote! – Hrvoje Špoljar Nov 19 at 20:33

                                                  • Can you just add a -s specifier? – larsks Aug 12 '12 at 12:20

                                                  • I wouldn't hesitate to accept Ward as a moderator at Server Fault. I'm only surprised it hasn't happened already. – Michael Hampton ♦ Nov 17 at 21:02

                                                  • 10x i will test it tommorow. Why -i interfacename dosnt work ? – Avihai Marchiano Aug 12 '12 at 16:44

                                                  • Half of the active moderators are in UTC-5, and -8 isn't much different. Our biggest need is around 0800-1200 UTC. I think you'd be a good moderator, interested in moving to Europe? – Chris S ♦ Nov 17 at 21:22

                                                    • The ip of the machines is not known its group of machines. – Avihai Marchiano Aug 12 '12 at 13:05

                                                    • because the incoming interface is considered to be the bridge interface ( br0 ), not the bridge port. – Olipro Aug 12 '12 at 20:18

                                                    • Ah, that wasn't clear. – larsks Aug 12 '12 at 13:06

                                                    • I wouldn't call 1 year and 3 months 'recent'. Based on that your activity is very low - how does this set you up to be a moderator? What sort of things need a 'fresh face' to look at them ? – Iain Nov 18 at 18:48

                                                    • You've retired as a moderator in the past, what's changed since then? – Mark Henderson ♦ Nov 20 at 21:21

                                                    • You've got one of my votes. – Chris S ♦ Nov 18 at 2:49

                                                      • No . All trafic allowed but i need to distinguish between traffic from machine 1 to machine 3 – Avihai Marchiano Aug 12 '12 at 12:32

                                                      • I'm HopelessN00b, and I endorse this awesome post/nomination. – HopelessN00b Nov 20 at 8:44

                                                      • Why is this a problem? What's wrong with taking time out and coming back? I think it's better to do that than to just do the bare minimum to hold on to a ♦ whilst not really moderating or being a community leader. even taking a back set I do more than you and several of the mods we currently have. Where are you on meta or main - nowhere to be seen - some community leader you are. – Iain Nov 20 at 21:52

                                                      • I think you are a very good candidate, and will get my vote too. – ThoriumBR Nov 18 at 11:54

                                                      • 2 many is many :) if I try to delete the rules first, it will like typing many times: iptables -D OUTPUT -d XXX/32 -j i_XXXXX_i – timy Apr 2 '12 at 17:23

                                                      • First thing you should probably get your head around is that SE sites are not "forums", and expectations on mods here are much different than on forums. Second thing: please account for your complete lack of involvement in the site thus far. What tangible things can you point to that can help convince us to vote for you? Your meta/review/flagging history are non-existent. – EEAA Nov 18 at 20:53

                                                      • +1 Falcon Momot – c4f4t0r Nov 18 at 7:23

                                                      • Just curious... how many rules is "many" ? – Ladadadada Apr 2 '12 at 17:21

                                                      • iptables -A FORWARD -m physdev --physdev-in eth0 .... work!!!! great!!! – Avihai Marchiano Aug 13 '12 at 7:15

                                                      • You got my vote. – edvinas.me 2 days ago

                                                          • So, you haven't been active here for a long time. You don't participate in meta, cast flags, have many notable badges and your voting is appalling. How is this a good basis for being a moderator? – Iain 3 hours ago

                                                            • See the second paragraph at the top of this page - be amazed. It's easy to see what active mods are doing, you see their actions all over meta and main. – Iain Nov 20 at 22:54

                                                            • You haven't noticed? Perhaps you should spend some more time on the site Mark instead of hiding out in the backroom somewhere. @MarkHenderson – Iain Nov 20 at 21:27