I have a machine that is like a firewall, I use iptables to route traffic through it, to the router. For ex

Host1 -> Middleman -> gateway -> Internet

Internet -> gateway -> middleman -> Host1

I have this working using these rules:

On the middleman machine when I analyse the traffic using Wireshark, I can only see the outbound traffic, I don't see any traffic from gateway->host only host-gateway

The traffic must be passing through both ways because the host has Internet access.

How can I modify the iptables rules to see the traffic both ways?

Two thoughts. Try using iftop, see what that reports.
I use firestarter for exactly the same kind of setup and see everything. It also adds so many more routing options without having to think about it.

Thanks, I have installed firestarter, but I don't see any option to route traffic, how have you done it?

I think we would need more information to really be able to dig into this. To route traffic you really just need to set up the something like echo "1" > /proc/sys/net/ipv4/ip_forward. But, we need a clearer picture of your network like what is the gateways IP and a diagram of the network as far as connections. Is the host using the middleman as it's gateway? Is the Gateway on the same 192.168.0.x subnet?

At a quick glance it looks like you are attempting to do routing with DNAT and SNAT which shouldn't be necessary (depending on some of the missing info) and could be the cause of your issues with following traffic in wireshark.

I do use ipforward this way, the command I use before the iptables rules is:

echo "1" > /proc/sys/net/ipv4/ip_forward

About the network: Everything is on the same subnet (192.168.0.x) gateway is 192.168.0.1, there is just one host besides the middle man, and yes the middleman uses the normal gateway directly. The host however, sees the middleman as its gateway (not 192.168.0.1).

Perfect. In that case I don't believe that you need to do the Natting as they are all on the same subnet anyway. Just make sure that iptables is set up to allow outgoing traffic coming from the 192.168.0.x subnet. In my own set up I use separate chains for traffic from the firewall itself and from traffic it is forwarding from the internal network.

Thanks for the replies. Do you have an idea of what the rule syntax will be for this? Is it PRE/POSTROUTING, INPUT, OUTPUT or FORWARD?

You should be able to remove the PREROUTING and POSTROUTING all together. On my firewalls I use a separate chain for network traffic vs traffic originating or terminating at the firewall. The concept that needs to be understood is that routing is a separate thing from firewalling. Meaning that if you have forwarding set to 1 in ip_forward your middleman box will route the traffic even with the firewall turned off. IPTables doesn't do the routing for you.

Here is an example


$IPT -A FORWARD -i ethx -j OUT_NETWORK

$IPT -N OUT_NETWORK
$IPT -A OUT_NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUT_NETWORK -m state --state NEW -p tcp --dport 80 -j ACCEPT # http

Without using the separate chains you would use OUTPUT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # http

Thanks javaroast, will those commands only route port 80? I was hoping to be able to route any port without having to specify the ones I needed.

That will only allow port 80 through the firewall. To allow all traffic you'd need something like

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT or


Or alternatively if the gateway is already doing firewalling and there is no public (Internet IP's) on the the middleman you could turn off the firewall on the middleman entirely.

Ok, I have no firewall turned on and I have turned on ip_forward. I have not used any iptables rules. The host has full internet access through the middleman, but I have the same problem which is I can see outbound traffic, but I can't see inbound. When inbounc traffic occurs, Wireshark shows a 'ICMP REDIRECT' and does not let me see the contents.

After reading up a bit on ICMP Redirects, it looks like this is a message to the host telling it there is a more direct route to the real gateway. But this doesn't make sense because if that were true then I would not see the outgoing traffic.

Are the gateway middleman and host all connected to a router by chance? If that is the case you would see exactly what you are describing. Seeing as they are all on the same subnet they can route directly.

Thanks for your help on this!

The gateway is the router. It's a Netgear DG834GT ADSL router. The host and middleman are connected to the router. The middleman sees the router as its gateway and the host sees the middleman as its gateway.

In that case what you are seeing is exactly how routing works. The gateway takes the most direct path to the host which in this case is directly connected to the router