fowarding data to nondestination network

mancini · 09-03-2004, 06:22 AM

does anyone have experience with forwarding data from a network segment to another network segment even if the data is not adressed to it ?

namely i have my LAN gateway able to see all the trafic on the MAN/WAN , but i want it to forward that trafic into my LAN so all the stations can see it too

more explicitly , my gateway has masquerading enabled and i am trying to use iptables to achieve my goal but even after trying out quite a number of rules i still can not make it work

maxut · 09-03-2004, 06:31 AM

example:

-i : incoming interface
-p : protocol (tcp/udp)
--dport : destination port
--to 192.168.0.10 : forward to 192.168.0.10

iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.10

it says that if packets come to eth0 and if its protcol is tcp and if destination port is 80, forward it to 192.168.0.10 to port 80

mancini · 09-03-2004, 07:57 AM

ok , great info , i'm playing with it

for now i used

Quote:

iptables -t nat -I PREROUTING -i eth0 -j DNAT --to 192.168.8.1

where :
192.168.8.1 is the ip of eth1 on the gateway box
eth1 is connected to the switch of the lan
eth0 is connected to the WAN

i can see on the gateway that packets are being processed by that rule however i still can not see wan trafic on the lan

mancini · 09-03-2004, 08:09 AM

i have tried using also the ip of a station in my lan instead of the ip of eth1 of the gateway

still nothing

might it be because i am aiming to capture packets that are not destinated to the ip of the gateway , but instead all packets captured by eth0 in proisc mode

maxut · 09-03-2004, 08:34 AM

i didnt try to route all of traffic trou linux. im not sure
"iptables -t nat -I PREROUTING -i eth0 -j DNAT --to 192.168.8.1" rule is a good idea.
if i were u, i would just forward specific ports to local computer, not all of packets.

i am asking to make sure:
ip_forward is 1, right ?
and do u have some iptables rules which can block forwarding (check the forward chain)?
u can see rules by typing
#iptables -nvL
#iptables -nvL -t nat

mancini · 09-03-2004, 08:46 AM

yes i nat is working on my gateway , i am using a clinet on my lan that is forwarded thru it to post this

as for seeing the filter and nat status yes i know , when i said "packets are being processed by that rule" i meant that iptables -nvL -t nat shows a growing number of packets matched for that rule

as for #cat /proc/sys/net/ipv4/ip_forward it is 1 yes

i also have tcp_syncookies and icmp_echo_ignore_broadcasts but i dont think those should cause problems

all the default filters are set to ALLOW too

as for the promiscous issue im quite sure that as long as eth0 in in promisc mode all the packets it sees , even if no destinated to it will be forwarded

now i also tried

Quote:

iptables -t nat -I PREROUTING -i eth0 -j DNAT --to 192.168.8.255

and

Quote:

iptables -t nat -I PREROUTING -i eth0 -j DNAT --to 192.168.8.0

192.168.8.255 being the brodcast address for eth1
but still no cigar

maxut · 09-03-2004, 09:13 AM

Quote:

Originally posted by mancini

i also have tcp_syncookies and icmp_echo_ignore_broadcasts but i dont think those should cause problems

i think so.

mancini · 09-03-2004, 12:19 PM

turns out that

Quote:

iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.8.2-192.168.8.5

works (192.168.8.2-192.168.8.5 being the hosts wich i want to see the trafic)

this fixed my dcgui problem nicely with the trafic now being forwarded from my gateway to my expecting dcgui clients

however what this does is forward only the traffic to the MAC of eth0 , not all the trafic captured by eth0 in promisc mode

i submitted this at https://bugzilla.netfilter.org/bugzi...bug.cgi?id=238