0

I created a tap device using the following commands:

sudo ip tuntap add mode tap tap7
sudo ip link set tap7 up
sudo ip addr add 77.0.0.1/24 dev tap7

Now, I am using c++ sockets programming to write packets to tap7 and I am able to capture them with wireshark when it listens to tap7 interface.
What I need is to create a rule that any packet written to tap7 should be redirected to the ip 127.0.0.1.

I tried the following commands:

sudo iptables -A PREROUTING -t nat -i tap7 -j DNAT --to 127.0.0.1
sudo iptables -A INPUT -i tap7 -j ACCEPT

However, when I listen on wireshark, I still see that packets are captured on tap7 and not captured from lo device. Does anyone have an idea why?

Ahmed Hussein
  • 99
  • 5

1 Answers1

1

You need to enable the route_localnet sysctl option for the tap7 interface. You should be able to accomplish this with the sysctl -w net.ipv4.conf.tap7.route_localnet=1 command, depending on your distro.

route_localnet - BOOLEAN
    Do not consider loopback addresses as martian source or destination
    while routing. This enables the use of 127/8 for local routing purposes.
    default FALSE

More (brief) information on the security implications of route_localnet can be found in this thread

Hope this helps

maff1989
  • 311
  • 2
  • 7
  • The same problem happens even if I change `127.0.0.1` to a different ip. Which means that the problem is not only because of using `lo` – Ahmed Hussein Jan 09 '19 at 19:07
  • Ah, in that case you also need to run `sysctl -w net.ipv4.ip_forward=1` to enable IP forwarding in the kernel – maff1989 Jan 09 '19 at 20:35
  • I already did that, but it seems that you misunderstand me. I have a packet with source ip `s` and destination ip `d`. Now regardless of `d`, I write this packet to `tap7` which has a third ip `t`. what you mentioned works if and only if `d` = `t` (which is not my case) – Ahmed Hussein Jan 09 '19 at 20:41
  • If the source packets are not destined for the `tap7` IP address, then this can never work as an `ESTABLISHED` TCP connection, since `s` only knows that `d` receives the packet and not `t`. However, your `tcpdump` should still be able to see the packet hit the `lo` interface – maff1989 Jan 09 '19 at 20:54
  • So why I am not able to see that on wireshark ? – Ahmed Hussein Jan 09 '19 at 20:56
  • 1
    At this point, the wireshark should at least be working. Try this instead, which will enable `route_localnet` for all interfaces (just in case we are missing something): `sysctl -w net.ipv4.conf.all.route_localnet=1` – maff1989 Jan 09 '19 at 21:19
  • 1
    If my most recent comment doesn't solve the issue, then instead of using `DNAT` try using `REDIRECT` without any additional arguments. Info on `REDIRECT` found here: https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4529.html – maff1989 Jan 09 '19 at 21:25