3

I want to loopback all received traffic on an interface. This would be equivalent to a line/facility loopback. Following a similar question, I did this:

iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -A FORWARD --in-interface eth0 -j ACCEPT

But nothing is received on the sender. The packet is dropped on the incoming interface. There was no net.ipv4.ip_forward = 1 line in my /etc/sysctl.conf.

Community
  • 1
user2233706
  • 131
  • There used to be an iptables MIRROR target that did what it sounds like you're asking for, but it was removed (for, in general, being a bad idea). Could you clarify why you want to do this? It really sounds like something that you should never actually want to do, and I'm wondering if there isn't a much better way to achieve your goal. – derobert Nov 10 '16 at 17:13
  • We need to do a throughput test on the interface which goes all the way up the stack. We hacked the kernel to add our own receive handler for the interface and called dev_queue_xmit() to send the traffic back on the interface, so we've verified that it does come back, but it'd be better if we didn't have to make changes. – user2233706 Nov 10 '16 at 17:17

1 Answers1

3

Routing

The primary way to decide where the kernel packets is the routing table (ip route and friends), not the firewall rules (iptables, nftables). Once you've enabled IP forwarding with net.ipv4.ip_forward = 1, then the kernel will process incoming packets through the routing table and send them back out. So if you want traffic to 10.0.0.2 to go through eth0, regardless of where it came from:

ip route add 10.0.0.2/32 dev eth0

Now, by default, when the kernel sees traffic coming in on eth0 and going right back out the same, it'll send an ICMP redirect to tell the source machine "hey, this is inefficient! send it directly!" You need to turn this off (net.ipv4.conf.eth0.send_redirects = 0) It also checks the source address to make sure it came from where it expected; you may need to turn this off as well (net.ipv4.conf.eth0.rp_filter = 0).

Since this goes through the kernel routing machinery, required stuff like decreasing the IP TTL will be done. But stuff like the source and destination IP address is not changed.

Routing + NAT

If you additionally need the source or destination IP addresses to be changed, you add NAT on top. For example, if you need the source IP address to be this machine, you could add your:

iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE

Note that unless you've changed the default, FORWARD should already accept. If not, you can add your rule (or alternatively, change the default).

NAT + Routing

You can also change the destination IP address when the packet comes in, which will change how its routed (because this change is done before routing sees it). This looks like:

iptables -t nat -A PREROUTING -s 10.0.0.1 -j DNAT --to-dest 10.0.0.2

Note that you can't use --out-interface here because the out interface isn't known until after routing. You can use --in-interface though.

Existing tools

You should also take a look at iperf3 and the packet generator.

derobert
  • 109,670
  • Is there a way to route without having to filter on the IP address? That is, route a packet regardless of its contents? – user2233706 Nov 10 '16 at 19:49
  • @user2233706 well, you could set the default route out that interface. That would do all IP packets (but not non-IP ones). – derobert Nov 10 '16 at 20:16
  • I tried this ip route add default dev eth0, but I get this RTNETLINK answers: File exists. – user2233706 Nov 10 '16 at 21:22
  • @user2233706 That probably means you already have a default route, you'd have to delete it first (which of course means you'd lose any connectivity you're relying on the existing default route for) – derobert Nov 10 '16 at 21:24