How to define iptables rule to add all transport to a given interface to nfqueue

  • Running on Ubuntu. I have machine 1 < - > machine 2 < - > machine 3. I dont know machine 1 or machine 3 ip. It can be any ip. machine 1 send packet to machine 3 and machine 3 send packet to machine 1.

    Machine 2 is used as a bridge:

    ifconfig eth0 0.0.0.0
    ifconfig eth2 0.0.0.0
    brctl addbr br0
    brctl addif br0 eth0 eth2
    ifconfig br0 up
    

    i want to have an iptable rule in machine 2 that will add all traffic that come to eth0 to nfqueue1 and all traffic that come to eth2 to nefqueue2.

    Now i have the following rule:

    iptables -A FORWARD -p tcp -j NFQUEUE --queue-num 0
    

    which is not good to me because i want to distinguish between traffic that come from machine 3 to traffic that come from machine 1, so i want to have 2 rule.

    Add -i eth0 to the rule doesn’t help.

Answers(26)

  • Gah! What error does it generate? How can you not think that is important information to convey? – womble May 5 '12 at 6:37

  • Ah, that wasn't clear. – larsks Aug 12 '12 at 13:06

  • No . All trafic allowed but i need to distinguish between traffic from machine 1 to machine 3 – Avihai Marchiano Aug 12 '12 at 12:32

  • Ah, that wasn't clear. – larsks Aug 12 '12 at 13:06

  • iptables -A FORWARD -m physdev --physdev-in eth0 .... work!!!! great!!! – Avihai Marchiano Aug 13 '12 at 7:15

  • because the incoming interface is considered to be the bridge interface ( br0 ), not the bridge port. – Olipro Aug 12 '12 at 20:18

  • You're missing a line with --set --name SSH2 somewhere before the one that's listed in the error message.

    The --rttl option requres there to be a

    --set option for the same list. You have one for the SSH list but not for the SSH2 list.

      The error message could be a little clearer about this.

    • No . All trafic allowed but i need to distinguish between traffic from machine 1 to machine 3 – Avihai Marchiano Aug 12 '12 at 12:32

    • since you're operating a bridge, you need to use -m physdev

      for usage, run iptables -m physdev -h - if you compile your own kernel, you may need to add this module.

    • Can you just add a -s specifier? – larsks Aug 12 '12 at 12:20

    • How can you know that? You don't know enough to solve the problem yourself, and yet you're absolutely , 100% certain that the error message could not possibly be of any help to anyone else who might have an interest in helping you solve your problem? – womble May 5 '12 at 7:19

    • But iptables-restore /etc/sysconfig/iptables fails after replacing anti-bruteforce rules in /etc/sysconfig/iptables with second fragment of code (see question body) . It contains -A SSH_CHECK -m recent --set --name SSH2 line before -A SSH_CHECK -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED . – technocrat May 5 '12 at 8:13

    • 10x i will test it tommorow. Why -i interfacename dosnt work ? – Avihai Marchiano Aug 12 '12 at 16:44

      • Yes. You are right. I often overestimate my abilities. I added info about error messagees to question body. – technocrat May 5 '12 at 7:26

      • 10x i will test it tommorow. Why -i interfacename dosnt work ? – Avihai Marchiano Aug 12 '12 at 16:44

      • It just doesn't say anything that could help. iptables-restore /etc/sysconfig/iptables says "iptables-restore: line ## failed" where ## is number of last line in /etc/sysconfig/iptables iptables -I SSH_CHECK 3 -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED says iptables: Invalid argument. Run `dmesg' for more information. – technocrat May 5 '12 at 7:17

      • I was only looking at your current /etc/sysconfig/iptables file and the command you ran at the end. I see the --set --name SSH2 in the earlier section now. The command at the bottom has -I SSH_CHECK 3 which may be its problem depending on what rules are already in place. What I would recommend is finding the smallest/simplest set of rules that still cause the error and update your question with that set of rules if still required. – Ladadadada May 5 '12 at 13:27

      • since you're operating a bridge, you need to use -m physdev

        for usage, run iptables -m physdev -h - if you compile your own kernel, you may need to add this module.

      • because the incoming interface is considered to be the bridge interface ( br0 ), not the bridge port. – Olipro Aug 12 '12 at 20:18

      • Default max number of --hitcount is set to 20

        You can verify this: cat /sys/module/xt_recent/parameters/ip_pkt_list_tot

        You need to reload module with extra parameters: modprobe xt_recent ip_pkt_list_tot=500

        List of available parameters: modinfo xt_recent

      • Can you just add a -s specifier? – larsks Aug 12 '12 at 12:20

      • Right, and I'm suggesting that you use the source ip address to distinguish machine 1 from machine 3 (I'm not suggesting blocking traffic). You would need two rules in your FORWARD chain instead of 1... – larsks Aug 12 '12 at 12:54

        • iptables -A FORWARD -m physdev --physdev-in eth0 .... work!!!! great!!! – Avihai Marchiano Aug 13 '12 at 7:15

          • The ip of the machines is not known its group of machines. – Avihai Marchiano Aug 12 '12 at 13:05

          • Right, and I'm suggesting that you use the source ip address to distinguish machine 1 from machine 3 (I'm not suggesting blocking traffic). You would need two rules in your FORWARD chain instead of 1... – larsks Aug 12 '12 at 12:54

          • The ip of the machines is not known its group of machines. – Avihai Marchiano Aug 12 '12 at 13:05