6

I have a bare metal running Ubuntu server 16.04 with KVM and 3 NIC's that are connected by bridges br1, br2 and br3 to a guest VM running also Ubuntu server 16.04.

The first NIC - br1 - is connected to the internet and it's router address is defined as the default gateway for the guest.

I have a code running on my guest that needs to listen to the packets received by br2 and br3, the code should listen to 1 NIC only,

I tried forwarding the traffic from en2 (the name of the guest NIC that is bridged via br2) to en3 (the same with br3) by following this:

sudo nano /etc/sysctl.conf
uncomment net.ipv4.ip_forward = 1

sudo sysctl -p
sudo iptables -t nat -A POSTROUTING --out-interface en3 -j MASQUERADE  
sudo iptables -A FORWARD --in-interface en2 --out-interfac en3 -j ACCEPT

Yet there is nothing recorded when using sudo tpcdump -i en3 and send a ping message to NIC2 (while if I run sudo tpcdump -i en2 i can see the ping messages)

What am I missing here? Is there a better way for me to get my desired result (that my code will listen to 1 NIC and get both NIC's trafic) ?

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
Matan Levy
  • 61

1 Answers1

5

To listen specifically to the forwarded traffic, it is better to create a nflog rule/interface.

Taking traffic dumps on Linux

So you will create a nflog interface:

sudo iptables -t filter -I FORWARD -j NFLOG --nflog-group 6

and then listen to it:

sudo tcpdump -s 0 -n -i nflog:6

The solution to the problem, is to use the nflog interface in the iptables framework, to get exactly the packets we are interested in.

nflog rules log to a kernel internal multicast group, which is identified by an integer in the 0 - 2^16-1 range. Only the part of the datagram that the framework sees will be captured. For iptables that is an IPv4 packet.

Using nflog to dump packets forces you to use a special interface syntax for tcpdump and wireshark. You must use nflog:groupnumber as interface.

Because nflog rules are normal iptables rules, the rules need a proper match and target part so you get exactly the traffic you want. You also must put the rule into the correct place for it to get the packets you're interested in.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
  • hi, seems like i am still missing something, i tried running those 2 commands and could not get ping packets when listening as you wrote, i tried adding to the first command '--in-interface en2' and still cant get see the ping packates – Matan Levy Oct 02 '16 at 06:16
  • @MatanLevy It might be a better way, out of home, will get back to you tomorrow – Rui F Ribeiro Oct 02 '16 at 06:39
  • 1
    tomorrow never dies.. :) I also have this issue and get error: tcpdump: NFLOG link-layer type filtering not implemented – Mladen B. Mar 06 '23 at 17:40
  • @MladenB. The answer is from 2016, iptables is now a shim for a new implementation. – Rui F Ribeiro Mar 10 '23 at 12:47