Forward broadcast to fixed IP using IPTables

Question

I need to forward (route) broadcast packets from several wireless clients to a single server in the fixed network. The wireless and fixed network are not bridged for security reasons.

With the following lines the packets show up in the INPUT chain log

iptables -I INPUT -i $IF_WIFI -p udp --dport 6000 -j LOG --log-prefix "I " 
iptables -I FORWARD -i $IF_WIFI -p udp --dport 6000 -j LOG --log-prefix "F "

Now I add the following rule

iptables -t nat -A PREROUTING -p udp -d 255.255.255.255 --dport 6000 -j DNAT --to 10.0.0.10:6000

Now the packets won't show up either in the INPUT or the FORWARD log and do not get routed to the fixed network. I would expect to see the packet in the FORWARD log

The PREROUTING rule gets hit according to

iptables -t nat -v --list

Chain PREROUTING (policy ACCEPT 466 packets, 28575 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  404 25819 DNAT       udp  --  any    any     anywhere             255.255.255.255     udp dpt:6000 to:10.0.0.10:6000 

(update) IP forwarding is enabled

# cat /proc/sys/net/ipv4/ip_forward 
1

Have I overlooked something?

Answer 1

The simpler solution is to configure a bridge, but use ebtables instead of iptables to enforce the "only broadcast packets may traverse the bridge" rule. You'd want to set the FORWARD policy to DROP and then use a rule like:

ebtables -A FORWARD -s FF:FF:FF:FF:FF:FF -j DROP

This would have the same effect, but should work around the difficulties you're seeing.

(I'm not actually convinced that allowing broadcast only is much more secure than allowing everything to pass, regardless of how you implement it)