top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Can not see VM packets using Netfilter

+2 votes
471 views

I’m recently developing a simple program using netfilter and I’m having a tricky problem. My program is mainly to log the src and dst ip address of all the packets. This program is run in the host machine. I have several virtual machines on that host machine.

The problem is, I can not capture the packets generated or destined at the VMs. All the VMs use bridging network to connect.

Can anyone help me?

posted Dec 2, 2014 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

Depending on the interface you use (bridge) and the method you try to log packets, you may try again with:

echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

answer Dec 2, 2014 by Sanketi Garg
Similar Questions
+1 vote

Is there a way to find out if there any iptables rules set on a machine ?

There are some indirect ways which will not always work; for example, I know that on most hosts, iptables -S will return the following output (when no iptable rules are set)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

So you can check whether or not the number of output lines is greater than 3 (as an indication of whether or not iptables rules are set). But there are hosts on which there are more chains then these 3; these chains are set by application/services, even without any iptable rules which are set. And after running iptables -F on these machines, iptables -S will still show more than 3 chains, even that there are no iptables rules set in these chains.

So the question is - is there a way to know whether or not netfilter rules are set on a host, regardless of the number of chains ?

0 votes

Is it possible to bind multiple address families in netfilter queue? I see IPv4 show up in my queue, but not ARP. With error code removed, here is how I'm calling nfq_bind:

netfilterqueue_handle = nfq_open();
netfilterqueue_queue = nfq_create_queue( netfilterqueue_handle, 0,

nfq_bind_pf( netfilterqueue_handle, AF_INET );
nfq_bind_pf( netfilterqueue_handle, NF_ARP );

I'm thinking the more likely possibility is the iptable rules I'm using to send traffic to the queue are too restrictive. Here are the rules I have:

# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*nat
:PREROUTING ACCEPT [161:14105]
:INPUT ACCEPT [56:4995]
:OUTPUT ACCEPT [56:4496]
:POSTROUTING ACCEPT [56:4496]
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 14 10:40:46 2015
# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*filter
:INPUT ACCEPT [1017:217421]
:FORWARD DROP [53:2307]
:OUTPUT ACCEPT [934:211104]
:MYRA - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j MYRA
-A FORWARD -s 10.0.1.0/24 -o eth0 -m conntrack --ctstate NEW -j MYRA
-A MYRA -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
# Completed on Sat Feb 14 10:40:46 2015

Do I have to add another FORWARD line to get ARP to jump to MYRA? What would it look like?

+1 vote

I know that packet traverses through the Net Filter hooks but how to practically realize that, any suggestions...

+1 vote

I am trying to provide ability to intercept network connections originating from, and coming into Linux machines at various stages during the network connections life-cycle.

These stages include the following:
1. Just before an outbound network connection is made - i.e. when the first SYN packet is sent out.
2. Just after an outbound network connection is established.
3. Just after the connection is terminated.
4. When an inbound connection is established - i.e. when the first SYN packet is received from outside.

For above requirements, I was evaluating netfilter_queue to get the packets in the user-space and then decide the verdict whether to allow or drop the packet.

My main concern here is, that once I am done with netfilter_queue registration, I'll start getting all the packets. But I am only interested in control packets and don't want data packets to be sent to user-space.

So, my question is - Is there any existing way to tell the netfilter_queue kernel module to send only the control packets and not the data packets ? Also, would it be possible to get notified about the connection establishment and termination ?

If there is no ready way to achive above, then would it make sense to modify libnfnetfilter_queue and netfilter_queue kernel module to provide only control packets depending upon the config mode set,
i.e. introducing NFQNL_COPY_CONTROL_PACKET for copying only control packets to user-space ?

...