2

I'm trying to capture and manipulate incoming IP packets (via eth0 interface) by using a TUN device (since I'm only concerned with IP layer). The first step I think is 1:1 packet forwarding from eth0 to tun0, but I can't get this to work via iptables and/or routing tables. What am I doing wrong? Is there a simple way to do this? I enabled IPv4 forwarding in Fedora and added all the correct iptables rules, but it doesn't seem to work, no matter what I try. Is there an easier way to go about this? Normally I could just use libpcap, but I need to be able to drop packets and other options I haven't seen in libpcap. Any advice would be greatly appreciated.

Matt
  • 121
  • 2

1 Answers1

1

I think the simplest way is to bridge the two interfaces. This way you don't need to mess with iproute/iptables rules.

Daniele Santi
  • 2,529
  • 1
  • 25
  • 22
  • This is what I initially tried (and many, many different variations), but it wasn't passing all packets between interfaces like I had hoped. – Matt May 02 '11 at 15:20
  • @Matt Is there a specific reason you can't capture directly on `eth0`? Also, are the packet **transiting** through `eth0` towards another interface or are they **terminating** on `eth0`? – Daniele Santi May 02 '11 at 15:26
  • There will be a userspace program attached to the virtual interface, which is where the TUN device comes in. So ideally, packets come in via eth0, they are sent to the kernel and then sent to the program attached to the TUN interface, where they can be manipulated/dropped, etc. as needed. So they are passing through eth0, not terminating there. The capture is not the end of the process, but instead the beginning of it. – Matt May 02 '11 at 15:39
  • @Matt so you need a way to "*redirect*" packets from `eth0` to your `tun` interface? – Daniele Santi May 02 '11 at 15:51
  • Yes, basically that is the first step. – Matt May 02 '11 at 15:53
  • @Matt So, could iptables **REDIRECT** target (see here: http://straylink.wordpress.com/2006/08/16/using-iptables-to-redirect-packets/) be an option? – Daniele Santi May 02 '11 at 15:56
  • I tried that already, couldn't get it working as I wanted. I'll keep looking into iptables solutions. – Matt May 02 '11 at 16:09