0

I'm working on a project to verify the source of each packet if its destination is one of several IPs on the LAN network. I'm interested in the LAN IPs, not the WAN.

I tried to create many matches like the following but nothing worked.

iptables -t nat -d <list of IPs> -A FORWARD -j NFQUEUE --queue-num 1

I have used the following rules to enable routing in my raspberry pi

sudo iptables -F

sudo iptables -t nat -F

sudo iptables -t nat -A POSTROUTING -o $eth -j MASQUERADE

sudo iptables -A FORWARD -i $eth -o $wlan -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i $wlan -o $eth -j ACCEPT

The question is where should I put the NFQUEUE rule?

-EDIT-

I have been told to enable proxy_arp, so that any local requests are being responded to by the raspberry pi router. I believe I have to set up the routing tables inside the raspberry pi, don't I?

Any thoughts will be appreciated.

Unfortunately, the Proxy ARP was not helpful in reaching my desired control on the ARP packets within the network. Anyway. I have seen a solution (OpenVPN client-to-client) but I did not implement it yet, I will back to this question to post if it did work or not.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
zezo mehdawi
  • 1
  • 2
  • There is no 'nat' table in the FORWARD chain. Does you command throw an error? What are you trying to achieve, send the packet to a user space program? – Brahim Gaabab May 17 '22 at 22:48
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community May 18 '22 at 14:19
  • Thanks for your replys! i have updated my question. please inform me if you need more details – zezo mehdawi May 18 '22 at 21:54
  • @BrahimGaabab Exactly, im trying to send the packets that match a specific destination to the userspace. – zezo mehdawi May 18 '22 at 21:55
  • @BrahimGaabab What is the suitable iptables rule should I add to the previous rules? – zezo mehdawi May 19 '22 at 09:49

1 Answers1

0

When using netfilter, you have to understand how a packet flows throughout the kernel, i.e. which chains (similar to a 'road check point') it visits, and which kinds of processing it gets in each chain (referred to with the term table). Processing and chains are shown in this illustration, each box have the chain in its lower part and the processing type in the upper one. (You have to focus on the Network layer.) Depending on the packet path, only a subset of chains are involved: packets flowing through your raspberry will only goes through PREROUTING, FORWARD and POSTROUTING.

Having FORWARD chain, does not imply that it routes packets. You have to enable it using the command sysctl -w net.ipv4.ip_forward=1 (non persistent).

Moreover, as shown in the figure, there is no nat processing in the FORWARD chain, only mangle and filter, so the command

iptables -t nat -d <list of IPs> -A FORWARD -j NFQUEUE --queue-num 1

is incorrect.

Packet processing for each table/chain is actually driven by an ordered list of rules, the table, that you define with the iptables command. Each rule is made up of matching criteria and an action which depends on the table type (nfqueue is only allowed in filter tables, masquerade in nat tables, etc.)

Now, coming to nfqueue. We use such action when further processing of some packets is to be made outside the kernel, by a program you create yourself (see a python example here, for instance, in intrusion detection systems. Packets are put on a queue (identified with 16-bits number), processed then returned to the kernel to resume their flow at the next table/chain. (They can also be dropped in user space). In a common scenario, you'll typically want to send only accepted packets to userspace (those filtered are ignored at kernel level). You have to be careful about your exact needs, which are not yet clear. I'll try to give an example to explain how it works using your scenario:

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t nat -A POSTROUTING -o $eth -j MASQUERADE
sudo iptables -A FORWARD -i $eth -o $wlan -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-num 1
sudo iptables -A FORWARD -i $wlan -o $eth -j NFQUEUE --queue-num 1

This means that packets flowing between $eth and $wlan will be put on the same queue. You have to make sure that some program is handling queue no. 1 and ready to process packets.

Brahim Gaabab
  • 191
  • 4
  • Thanks for the wonderful explanation, it really cleared up my mind. But the thing is your suggested rules match only the traffic that goes to the internet. As I'm building an IDS, I'm looking to match the internal traffic only. I'm testing if it does work by hosting a web page from my laptop and then trying to reach it from my phone. In this scenario, NFQUEUE should detect that request! – zezo mehdawi May 19 '22 at 11:58
  • here is my own log file after applying your suggested rules. That may clarify the results. Connection IP: 157.240.196.60 Connection MAC: e8:cd:2d:a9:01:f7 Connection IP: 20.93.28.56 Connection MAC: e8:cd:2d:a9:01:f7 Connection IP: 172.64.154.162 Connection MAC: e8:cd:2d:a9:01:f7 – – zezo mehdawi May 19 '22 at 11:59
  • Do not expect me to figure out your scenario and which traffic is to be queued :-) So, laptop and phone are on the wlan side within the same IP subnet? If this is the case, you probably need to rely on the wlan interface driver to capture and queue packet to user space, because netfilter does not allow `NFQUEUE` target for thernet frames. Do you want to make forwarding decision there, is this is just to copy frames? – Brahim Gaabab May 19 '22 at 14:14
  • Yes exactly, but the purpose is not to copy it is to accept or drop the packet. Do not worry about my userspace program it works perfectly. i just need to add the iptables rule to queue for it. I can set a zoom session for you to show the details if you wish. – zezo mehdawi May 19 '22 at 15:55
  • One way is to force packets to go through the router IP driver by making your router advertise the wlan interface's MAC in the LAN. I'll let you know if available tonight or yomorrow morning. – Brahim Gaabab May 19 '22 at 15:55
  • Alright! Thanks for your kindness – zezo mehdawi May 19 '22 at 15:57
  • Hello sir, hope you contact me soon so I can meet my project deadline :( – zezo mehdawi May 20 '22 at 10:32
  • @zezomehdawi, I am available now. In order to force packets through the router, you have to advertise its MAC within your WLAN. You can do it by enabling ARP proxying on router. – Brahim Gaabab May 20 '22 at 13:32
  • Actually, i have never installed an arp proxy. You can instruct me here or we can continue on this zoom session. It is your choice. https://iauvle.zoom.us/j/7036217353 – zezo mehdawi May 20 '22 at 13:47
  • It is not working for some reason (you have corporate zoom account?). You can setup a different service. – Brahim Gaabab May 20 '22 at 14:05
  • i have another one, just give me a sec – zezo mehdawi May 20 '22 at 14:16
  • This is my personal account: https://us04web.zoom.us/j/7559513161?pwd=bW9JVWJhdG95Mkd4RTFZM2hPQitEUT09 – zezo mehdawi May 20 '22 at 14:19