top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

IPTABLE: How to ignore forwarded traffic?

0 votes
703 views

Consider the following example: you have a router between two networks, and you want to cut off the
router from the outside world using some iptables rules. However, all traffic that is forwarded by the router between the two networks basically is to be ignored by iptables (i.e., the router does not play firewall for any of the two networks).

Currently, if conntrack is loaded on the router, then conntrack -L on the router lists all the connections, not only those to and from the router, but also all connections between the two. Certainly, it takes some CPU cycles for the router to keep track of all the connections. Also, the number of connections that conntrack can take of is limited.

So is there a way to let Linux "bypass" conntrack and maybe other netfilter stuff when it comes to forwarded packets?

posted Apr 21, 2014 by Deepak Dasgupta

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button
You can disable conntrack at all by removing of the module. Also you can disable conntrack only for specifyed connections with CT target (--notrack option).
> You can disable conntrack at all by removing of the module.

Assume, the firewall protecting the router is stateful (i.e., it uses conntrack).

> Also you can disable conntrack only for specifyed connections with CT target (--notrack option).

I know have the following three rules:

iptables -t raw -A PREROUTING -d -j CT
iptables -t raw -A PREROUTING -d -j CT
iptables -t raw -A PREROUTING -j CT --notrack

So any traffic directed at the router or coming from the router should be conntracked while all other traffic is not. Note, that I don't have any rules in the OUTPUT chain of the raw table, as it seems to me that the default (connections are conntracked) is fine.

Do the above rules seem OK to you?

1 Answer

+1 vote

Seems like OK, but you should add iptables -t raw -A OUTPUT -j CT --notrack to prevent of tracking of the local originated traffic.

answer Apr 22, 2014 by anonymous
Similar Questions
+5 votes

I want to forward all http traffic coming in from a perticular IP at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend the following in my IPtable

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

0 votes

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

+1 vote

I wanted to make a white list using the settings below.

iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

iptables -I wanout -m mac --mac-source 01:26:f7:46:71:4b -j ACCEPT
iptables -I wanout -m mac --mac-source d2:37:b5:f2:39:f3 -j ACCEPT

iptables -I wanout -d gamepedia.com -j ACCEPT
iptables -I wanout -d toysrus.com -j ACCEPT

iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable

So the boxes with the MACs specified are exempt from blocking. The domains "gamepedia.com" and "toysrus.com" are accesible to all.

But the problem is that those domains pulls stuff in from other domains using or something, which makes the IPTable block the loading of the website to complete.

How do I deal with that in the best way? I don't want to look up everything they pull in and white list that as well. Also it might change.

Isn't there a way to say "accept all from this domain, even unrelated stuff"?

+2 votes

I have some issue with module (owner) in iptables v1.4.14

Current rule fails:
iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --gid-owner usergroup -j DNAT --to-destination x.x.x.x:80;
I tried to use numeric gid, it failed too..

But this rule works fine:
iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --uid-owner user -j DNAT --to-destination x.x.x.x:80;

Is it a BUG or I am missing something?

+1 vote

According to your experience what would be the best strategy to intercept traffic from one machine to another and process some (not all) request in a transparent way.

I explain, i have two machines:

192.168.1.1/24  192.168.1.2/24

All I want to do is to intercept traffic from a specific port(s), i.e. 4000/tcp and process it in a 'machine in the middle'.

192.168.1.1/24  machine-in-the-middle  192.168.1.2/24

The idea is that when 192.168.1.1 connects to 192.168.1.2:4000 then the machine in the middle will answer those requests, but the remaining traffic from 192.168.1.1 to 192.168.1.2 keep forwarding as is, and the same for the opposite direction.

...