LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   About Packet Flow (https://www.linuxquestions.org/questions/linux-networking-3/about-packet-flow-375169/)

qs_tahmeed 10-20-2005 03:19 PM
About Packet Flow
 
Hi!

I have 2 interface in my linux box. eth0 & eth1

Normally when i ping there any of the interfaces - i dont see any packets
flowing to the eth0 or eth1.

I found this using iptraf. So at this stage - all the packets are flowing
through the lo int.

Now my eth0 is connected with another pc's eth0. and eth1 is connected
with eth1 in the same 2nd pc. The diagram is

PC1 (eth0) --------------- (eth0) PC2
PC1 (eth1) --------------- (eth1) PC2

I want to block any traffic flowing through eth0 to eth1 of PC1 unless and
untill they are through the PC2. I mean a packet generated from (eth0)
PC1 will be travelling to (eth0) PC2 and then be forwarded through the
(eth1) PC2 to (eth1) PC1.
Like::

eth0 (PC1) ---> eth0 (PC2) ----> eth1 (PC2) ----> eth1 (PC1)

and vice-versa.

Can this be done ?
Any kind of information is highly appreciable. I need this for a testing
purpose.

Thanks in advance.

Agrouf 10-20-2005 04:09 PM
on PC2 :
#iptables -A INPUT -i eth0 -j DNAT --to-destination <your ip adress on PC1/eth1>
#iptables -A INPUT -i eth1 -j DNAT --to-destination <your ip adress on PC1/eth0>

on PC1 :
#iptables -A INPUT -i eth0 -j DNAT --to-destination <your ip adress on PC2/eth1>
#iptables -A INPUT -i eth1 -j DNAT --to-destination <your ip adress on PC2/eth0>

WARNING :
you will flood your network by sending any packet via eth0/eth1 (until TTL expires, and even then the ICPMs will flood your network back).
Because it will go from PC1/eth0 to PC2/eth0 to PC2/eth1 to PC1/eth1 to PC1/eth0 to PC2/eth0... until iptables crashes or drops the packets because DNAT table is full.

qs_tahmeed 10-20-2005 04:53 PM
Hi!

Thanks for the Help.

It would be some time after I will be on with my test. But thanks really about the flooding.
I didnt think about that.

Few more things, What if I just want the traffic only in one direction. Like eth0 (PC#1) to
eth1 (PC#1) via PC#2. and not in the other way.

Would the DNAT for INPUT chain would only be in the eth0 of PC#2.

Also shoudn't there be any DNAT for the OUTPUT chain in the PC#1?

Thanks.

Agrouf 10-20-2005 05:50 PM
Actually my code doen't work.
You should DNAT on PREROUTING chain on the nat table (DNAT is only available here and on the OUTPUT chain).
The right code should look like that :

on PC2 :
#iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination <your ip adress on PC1/eth1>

sorry about that.

Or maybe the ROUTE target may suit your needs better, but the ip adress won't be translated (test) :
#iptables -A INPUT -i eth0 -j ROUTE --oif eth1


All times are GMT -5. The time now is 02:53 AM.