* RE: iptables v1.2.1a - packets not reaching tun(0) from eth0 inte rfac e
@ 2002-10-22 13:53 Raghavan, Srihari
0 siblings, 0 replies; only message in thread
From: Raghavan, Srihari @ 2002-10-22 13:53 UTC (permalink / raw
To: 'netfilter@newkirk.us'; +Cc: 'netfilter@lists.netfilter.org'
Hi Joel
Thanks for your mail.
I am sorry but I do not see a mistake there since I have specified a
destination address (during PREROUTING for mangle table) via the -d option.
What I want is that TCP packets (say telnet) to the machine itself (on
172.17.27.18(eth0)) should not go through my main iptables rule (MARK
PREROUTING rule) and hence 'tun0'.
The MARK PREROUTING rule is meant for catching all TCP packets not
destined to this machine.
About the OUTPUT rule, it is still incomplete. I should have taken that
rule out before posting.
Thanks
Srihari
-----Original Message-----
From: Joel Newkirk [mailto:netfilter@newkirk.us]
Sent: Tuesday, October 22, 2002 3:21 AM
To: Raghavan, Srihari; 'netfilter@lists.netfilter.org'
Subject: Re: iptables v1.2.1a - packets not reaching tun(0) from eth0
interfac e
On Monday 21 October 2002 06:37 pm, Raghavan, Srihari wrote:
> Hi all,
>
> I have a linux machine that needs to catch TCP packets (not meant for
> itself) that come on its eth0 interface and pass it on to tun0 interface
> (through the TUN/TAP driver). I am using Linux 2.4.12 kernel.
>
> 1. I use the following iptables/ip rules commands after opening the tun
> device:
>
> system("ip addr add 172.17.27.18 peer 10.99.99.99 dev tun0");
> system("ip link set dev tun0 up");
> system("iptables -t mangle -A PREROUTING -d 172.17.27.0/24 -j ACCEPT");
> system("iptables -t mangle -A OUTPUT -d 172.17.27.0/24 -j ACCEPT");
> system("iptables --verbose -t mangle -A PREROUTING -i eth0 -p tcp \
> -d 0.0.0.0/0 -j MARK --set-mark 1");
> system("iptables -t mangle -A OUTPUT -p tcp -d 0.0.0.0/0 -j MARK \
> --set-mark 1");
> system("ip rule add fwmark 1 table 200");
> system("ip route add default dev tun0 table 200");
{snip extra details}
You're ACCEPTing in mangle prerouting? Great, so the packet passes that
chain. You've done nothing to it though, except give it ticket out of
PREROUTING, so that it never hits your MARK rule. The OUTPUT ones would
never get hit by this at all, since that's for output from the local
machine,
but you do the same there.
> Any clues?
>
> Thank you for your time
> Srihari
j
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2002-10-22 13:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-22 13:53 iptables v1.2.1a - packets not reaching tun(0) from eth0 inte rfac e Raghavan, Srihari
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.