LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-11-2018, 03:19 PM   #1
kawan
LQ Newbie
 
Registered: Jul 2018
Posts: 4

Rep: Reputation: Disabled
ip packets are not forwarded from tun0 to interface eth0


I have a customized TLS-like server running on the Linux server(Ubuntu 12.04.5). The TLS server creates a tun0 interface when it runs.
There is also a VPN server running on the server.
This Linux server has two physical interfaces, eth0 and eth1. eth1 connects to pulic network. eth0 connects to the private network.
See the list below(ip address is modified for explanation purpose)


client(VPN and TLS): private ip is : 172.10.40.4
server: eth1(10.337.405.344)
eth0(172.10.1.71)
tun0(no ip address)
node in private network: 172.10.1.2

ifconfig shows tun0 interface on the server as below.
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:961 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:79648 (79.6 KB) TX bytes:0 (0.0 B)


A vpn connection is established between client and server.
Traffic arriving at eth1 interface are encrypted with ipsec.
After ipsec descrption, the ip packet A (dest port is tls server listening port) is sent to tls server.
Tls server will extract the payload data ( which is an ip packet B) in the ip packet A and write it to tun0 interface.
It is expected that ip packet B is forwarded to eth0. (This is an experiment use case).
I see tun0 has sent out the ip packet B, but the eth0 interface does not receive the packet.

I used the commands below to change ip forwarding table to route all the traffic received from tun0 to eth0.
$sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
$sudo iptables -I FORWARD 1 --in-interface tun0 -o eth0 -j ACCEPT
$sudo iptables -I FORWARD 2 --in-interface eth0 -o tun0 -j ACCEPT


$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 288 packets, 34092 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
2 144 ACCEPT all -- eth1 * 172.10.40.4 0.0.0.0/0 policy match dir in pol ipsec reqid 403 proto 50
1 132 ACCEPT all -- * eth1 0.0.0.0/0 172.10.40.4 policy match dir out pol ipsec reqid 403 proto 50
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 228 packets, 255K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- *

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.337.405.454 0.0.0.0 UG 100 0 0 eth1
10.337.404.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
172.10.0.0 0.0.0.0 255.255.128.0 U 0 0 0 eth0
172.10.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 eth0

I sends ping traffic (destination 172.10.1.2) from client side, Tls server receives the ping data and writes to tun0 interface.
But eth0 does not receive the traffic. I did not see dropped packet number increases in tun0 interface or eth0 interface.

$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
16:50:41.293522 IP 172.10.40.4 > 172.10.1.2: ICMP echo request, id 4, seq 118, length 64
16:50:42.273676 IP 172.10.40.4 > 172.10.1.2: ICMP echo request, id 4, seq 119, length 64
16:50:43.273741 IP 172.10.40.4 > 172.10.1.2: ICMP echo request, id 4, seq 120, length 64
16:50:44.275108 IP 172.10.40.4 > 172.10.1.2: ICMP echo request, id 4, seq 121, length 64
16:50:45.277230 IP 172.10.40.4 > 172.10.1.2: ICMP echo request, id 4, seq 122, length 64

I also notice that the forward entry order is changed after a while when issuing $sudo iptables -L -n -v shows
The vpn related entries beome the first two entries again.
2 144 ACCEPT all -- eth1 * 172.10.40.4 0.0.0.0/0 policy match dir in pol ipsec reqid 403 proto 50
1 132 ACCEPT all -- * eth1 0.0.0.0/0 172.10.40.4 policy match dir out pol ipsec reqid 403 proto 50

Any suggestion is appreciated.
 
Old 07-13-2018, 10:24 AM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,125

Rep: Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260
What do you get from:

Code:
cat /proc/sys/net/ipv4/ip_forward
 
Old 07-17-2018, 05:23 PM   #3
kawan
LQ Newbie
 
Registered: Jul 2018
Posts: 4

Original Poster
Rep: Reputation: Disabled
Sorry for the late reply, I was on a trip. It is enabled.

~$ cat /proc/sys/net/ipv4/ip_forward
1
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
traffic is not forwarded from tun0 to eth0 kawan Linux - Networking 1 07-12-2018 04:47 PM
IP packets gets lost - not forwarded ddmesh Linux - Networking 0 05-08-2011 03:53 AM
can sniffed packets be forwarded to a different network? jkmin96 Linux - Networking 11 02-15-2011 10:07 PM
iptables: preroute outgoing packets from tun0 to eth0 ? malo_umoran Linux - Networking 2 09-22-2010 02:35 AM
Logwatch - Logged 298 packets on interface eth0 elvisious Linux - Security 3 10-05-2009 01:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration