top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

How to Filtering and Queue the Packets of a Process using Iptable?

0 votes
384 views

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

posted Aug 12, 2017 by Bob Wise

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
0 votes

Consider the following example: you have a router between two networks, and you want to cut off the
router from the outside world using some iptables rules. However, all traffic that is forwarded by the router between the two networks basically is to be ignored by iptables (i.e., the router does not play firewall for any of the two networks).

Currently, if conntrack is loaded on the router, then conntrack -L on the router lists all the connections, not only those to and from the router, but also all connections between the two. Certainly, it takes some CPU cycles for the router to keep track of all the connections. Also, the number of connections that conntrack can take of is limited.

So is there a way to let Linux "bypass" conntrack and maybe other netfilter stuff when it comes to forwarded packets?

+5 votes

I want to forward all http traffic coming in from a perticular IP at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend the following in my IPtable

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

+1 vote

I'm looking at a strange phenomenon that occurs on an iptables firewall. There is a DNAT rule configured that maps a public IP to a private one where a web serve is listening. Normal request operate as expected that is the destination ip is modified to the private one when the request arrives at the firewall and on the response packet the private ip is mapped back to the public one.
What I noticed though is that for some response packets the source ip is *not* mapped back to the public ip and instead tcpdump shows that the packets are sent out with the private source ip. The thing all these packets have in common is that they have the RST flag set.

What could be the reason for this? Is there some particular iptables behavior that could explain this?

0 votes

Is it possible to bind multiple address families in netfilter queue? I see IPv4 show up in my queue, but not ARP. With error code removed, here is how I'm calling nfq_bind:

netfilterqueue_handle = nfq_open();
netfilterqueue_queue = nfq_create_queue( netfilterqueue_handle, 0,

nfq_bind_pf( netfilterqueue_handle, AF_INET );
nfq_bind_pf( netfilterqueue_handle, NF_ARP );

I'm thinking the more likely possibility is the iptable rules I'm using to send traffic to the queue are too restrictive. Here are the rules I have:

# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*nat
:PREROUTING ACCEPT [161:14105]
:INPUT ACCEPT [56:4995]
:OUTPUT ACCEPT [56:4496]
:POSTROUTING ACCEPT [56:4496]
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 14 10:40:46 2015
# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*filter
:INPUT ACCEPT [1017:217421]
:FORWARD DROP [53:2307]
:OUTPUT ACCEPT [934:211104]
:MYRA - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j MYRA
-A FORWARD -s 10.0.1.0/24 -o eth0 -m conntrack --ctstate NEW -j MYRA
-A MYRA -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
# Completed on Sat Feb 14 10:40:46 2015

Do I have to add another FORWARD line to get ARP to jump to MYRA? What would it look like?

+1 vote

I wanted to make a white list using the settings below.

iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

iptables -I wanout -m mac --mac-source 01:26:f7:46:71:4b -j ACCEPT
iptables -I wanout -m mac --mac-source d2:37:b5:f2:39:f3 -j ACCEPT

iptables -I wanout -d gamepedia.com -j ACCEPT
iptables -I wanout -d toysrus.com -j ACCEPT

iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable

So the boxes with the MACs specified are exempt from blocking. The domains "gamepedia.com" and "toysrus.com" are accesible to all.

But the problem is that those domains pulls stuff in from other domains using or something, which makes the IPTable block the loading of the website to complete.

How do I deal with that in the best way? I don't want to look up everything they pull in and white list that as well. Also it might change.

Isn't there a way to say "accept all from this domain, even unrelated stuff"?

...