How to define iptables rule to add all transport to a given interface to nfqueue

  • Running on Ubuntu. I have machine 1 < - > machine 2 < - > machine 3. I dont know machine 1 or machine 3 ip. It can be any ip. machine 1 send packet to machine 3 and machine 3 send packet to machine 1.

    Machine 2 is used as a bridge:

      ifconfig eth0 0.0.0.0
      ifconfig eth2 0.0.0.0
      brctl addbr br0
      brctl addif br0 eth0 eth2
      ifconfig br0 up
      

      i want to have an iptable rule in machine 2 that will add all traffic that come to eth0 to nfqueue1 and all traffic that come to eth2 to nefqueue2.

      Now i have the following rule:

      iptables -A FORWARD -p tcp -j NFQUEUE --queue-num 0
      

        which is not good to me because i want to distinguish between traffic that come from machine 3 to traffic that come from machine 1, so i want to have 2 rule.

        Add -i eth0 to the rule doesn’t help.

        Answers(29)

          • Right, and I'm suggesting that you use the source ip address to distinguish machine 1 from machine 3 (I'm not suggesting blocking traffic). You would need two rules in your FORWARD chain instead of 1... – larsks Aug 12 '12 at 12:54

            • You're missing a line with --set --name SSH2 somewhere before the one that's listed in the error message.

              The --rttl option requres there to be a --set option for the same list. You have one for the SSH list but not for the SSH2 list.

              The error message could be a little clearer about this.

            • since you're operating a bridge, you need to use -m physdev

              for usage, run iptables -m physdev -h - if you compile your own kernel, you may need to add this module.

            • I was only looking at your current /etc/sysconfig/iptables file and the command you ran at the end. I see the --set --name SSH2 in the earlier section now. The command at the bottom has -I SSH_CHECK 3 which may be its problem depending on what rules are already in place. What I would recommend is finding the smallest/simplest set of rules that still cause the error and update your question with that set of rules if still required. – Ladadadada May 5 '12 at 13:27

              • Yes. You are right. I often overestimate my abilities. I added info about error messagees to question body. – technocrat May 5 '12 at 7:26

              • Ah, that wasn't clear. – larsks Aug 12 '12 at 13:06

              • No . All trafic allowed but i need to distinguish between traffic from machine 1 to machine 3 – Avihai Marchiano Aug 12 '12 at 12:32

              • Can you just add a -s specifier? – larsks Aug 12 '12 at 12:20

              • Default max number of --hitcount is set to 20

                You can verify this: cat /sys/module/xt_recent/parameters/ip_pkt_list_tot

                You need to reload module with extra parameters: modprobe xt_recent ip_pkt_list_tot=500

                List of available parameters: modinfo xt_recent

              • Many protocols do not have ports (gre, icmp, etc). – Zoredache Aug 8 '12 at 22:43

              • The ip of the machines is not known its group of machines. – Avihai Marchiano Aug 12 '12 at 13:05

                • 10x i will test it tommorow. Why -i interfacename dosnt work ? – Avihai Marchiano Aug 12 '12 at 16:44

                • How can you know that? You don't know enough to solve the problem yourself, and yet you're absolutely , 100% certain that the error message could not possibly be of any help to anyone else who might have an interest in helping you solve your problem? – womble May 5 '12 at 7:19

                • The ip of the machines is not known its group of machines. – Avihai Marchiano Aug 12 '12 at 13:05

                • Right, and I'm suggesting that you use the source ip address to distinguish machine 1 from machine 3 (I'm not suggesting blocking traffic). You would need two rules in your FORWARD chain instead of 1... – larsks Aug 12 '12 at 12:54

                • Gah! What error does it generate? How can you not think that is important information to convey? – womble May 5 '12 at 6:37

                • You can't use --sport or

                    --dport with -p 0 (or -p all) because IP transport layer can have protocols that aren't tied to ports. You can do this with protocols like udp/tcp/sctp/etc.
                  • because the incoming interface is considered to be the bridge interface ( br0 ), not the bridge port. – Olipro Aug 12 '12 at 20:18

                  • because the incoming interface is considered to be the bridge interface ( br0 ), not the bridge port. – Olipro Aug 12 '12 at 20:18

                    • since you're operating a bridge, you need to use -m physdev

                      for usage, run iptables -m physdev -h - if you compile your own kernel, you may need to add this module.

                    • Ah, that wasn't clear. – larsks Aug 12 '12 at 13:06

                    • iptables -A FORWARD -m physdev --physdev-in eth0 .... work!!!! great!!! – Avihai Marchiano Aug 13 '12 at 7:15

                    • No . All trafic allowed but i need to distinguish between traffic from machine 1 to machine 3 – Avihai Marchiano Aug 12 '12 at 12:32

                    • Yes. I notice when you use -p tcp --dports and save the firewall state, the save file also has -m tcp on each line, which implies to me that you cant do it for multiple protocols. I don't know for certain though. – Sirex Aug 8 '12 at 22:45

                    • iptables -A FORWARD -m physdev --physdev-in eth0 .... work!!!! great!!! – Avihai Marchiano Aug 13 '12 at 7:15

                    • But iptables-restore /etc/sysconfig/iptables fails after replacing anti-bruteforce rules in /etc/sysconfig/iptables with second fragment of code (see question body) . It contains -A SSH_CHECK -m recent --set --name SSH2 line before -A SSH_CHECK -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED . – technocrat May 5 '12 at 8:13

                    • It just doesn't say anything that could help. iptables-restore /etc/sysconfig/iptables says "iptables-restore: line ## failed" where ## is number of last line in /etc/sysconfig/iptables iptables -I SSH_CHECK 3 -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED says iptables: Invalid argument. Run `dmesg' for more information. – technocrat May 5 '12 at 7:17

                      • Can you just add a -s specifier? – larsks Aug 12 '12 at 12:20

                        • 10x i will test it tommorow. Why -i interfacename dosnt work ? – Avihai Marchiano Aug 12 '12 at 16:44