Can't forward traffic from eth to TUN/TAP

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I'm trying to forward traffic from a physical interface enp5s0 to a virtual one tun0. The goal is to make tun0 receive essentially all packets from enp5s0.



First, I enable forwarding with a command



sudo sysctl -w net.ipv4.ip_forward=1


Then I create tun0 by running



sudo ip tuntap add dev tun0 mod tun


I assign it IP-address and turn the device on:



sudo ifconfig tun0 10.1.8.5 netmask 255.255.255.0 promisc up


I want to make all packets go from enp5s0 to tun0, so I have to use iptables. I need to make a rule that allows forwarding from enp5s0 to tun0, so the command is



sudo iptables -A FORWARD --in-interface tun0 --out-interface enp5s0 -j ACCEPT


Then I enable NAT by running



sudo iptables -t nat -A POSTROUTING --out-interface enp5s0 -j MASQUERADE


tcpdump shows no traffic on tun0.



Also, I tried almost the same thing, but using TAP device. I created a bridge with brctl, added tap0 and enp5s0, but no packets were received by tap0 and everything was ok with enp5s0. Nothing like default gw 10.1.8.5 works in TUN case. Where is a mistake?







share|improve this question



















  • What exactly are you trying to achieve?
    – ysdx
    May 11 at 14:34










  • I'm trying to capture all enp5s0 traffic on tun0. Every packet received by enp5s0 should be forwarded to tun0`
    – Nikita Zeulin
    May 12 at 13:31














up vote
0
down vote

favorite












I'm trying to forward traffic from a physical interface enp5s0 to a virtual one tun0. The goal is to make tun0 receive essentially all packets from enp5s0.



First, I enable forwarding with a command



sudo sysctl -w net.ipv4.ip_forward=1


Then I create tun0 by running



sudo ip tuntap add dev tun0 mod tun


I assign it IP-address and turn the device on:



sudo ifconfig tun0 10.1.8.5 netmask 255.255.255.0 promisc up


I want to make all packets go from enp5s0 to tun0, so I have to use iptables. I need to make a rule that allows forwarding from enp5s0 to tun0, so the command is



sudo iptables -A FORWARD --in-interface tun0 --out-interface enp5s0 -j ACCEPT


Then I enable NAT by running



sudo iptables -t nat -A POSTROUTING --out-interface enp5s0 -j MASQUERADE


tcpdump shows no traffic on tun0.



Also, I tried almost the same thing, but using TAP device. I created a bridge with brctl, added tap0 and enp5s0, but no packets were received by tap0 and everything was ok with enp5s0. Nothing like default gw 10.1.8.5 works in TUN case. Where is a mistake?







share|improve this question



















  • What exactly are you trying to achieve?
    – ysdx
    May 11 at 14:34










  • I'm trying to capture all enp5s0 traffic on tun0. Every packet received by enp5s0 should be forwarded to tun0`
    – Nikita Zeulin
    May 12 at 13:31












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm trying to forward traffic from a physical interface enp5s0 to a virtual one tun0. The goal is to make tun0 receive essentially all packets from enp5s0.



First, I enable forwarding with a command



sudo sysctl -w net.ipv4.ip_forward=1


Then I create tun0 by running



sudo ip tuntap add dev tun0 mod tun


I assign it IP-address and turn the device on:



sudo ifconfig tun0 10.1.8.5 netmask 255.255.255.0 promisc up


I want to make all packets go from enp5s0 to tun0, so I have to use iptables. I need to make a rule that allows forwarding from enp5s0 to tun0, so the command is



sudo iptables -A FORWARD --in-interface tun0 --out-interface enp5s0 -j ACCEPT


Then I enable NAT by running



sudo iptables -t nat -A POSTROUTING --out-interface enp5s0 -j MASQUERADE


tcpdump shows no traffic on tun0.



Also, I tried almost the same thing, but using TAP device. I created a bridge with brctl, added tap0 and enp5s0, but no packets were received by tap0 and everything was ok with enp5s0. Nothing like default gw 10.1.8.5 works in TUN case. Where is a mistake?







share|improve this question











I'm trying to forward traffic from a physical interface enp5s0 to a virtual one tun0. The goal is to make tun0 receive essentially all packets from enp5s0.



First, I enable forwarding with a command



sudo sysctl -w net.ipv4.ip_forward=1


Then I create tun0 by running



sudo ip tuntap add dev tun0 mod tun


I assign it IP-address and turn the device on:



sudo ifconfig tun0 10.1.8.5 netmask 255.255.255.0 promisc up


I want to make all packets go from enp5s0 to tun0, so I have to use iptables. I need to make a rule that allows forwarding from enp5s0 to tun0, so the command is



sudo iptables -A FORWARD --in-interface tun0 --out-interface enp5s0 -j ACCEPT


Then I enable NAT by running



sudo iptables -t nat -A POSTROUTING --out-interface enp5s0 -j MASQUERADE


tcpdump shows no traffic on tun0.



Also, I tried almost the same thing, but using TAP device. I created a bridge with brctl, added tap0 and enp5s0, but no packets were received by tap0 and everything was ok with enp5s0. Nothing like default gw 10.1.8.5 works in TUN case. Where is a mistake?









share|improve this question










share|improve this question




share|improve this question









asked May 9 at 13:10









Nikita Zeulin

1




1











  • What exactly are you trying to achieve?
    – ysdx
    May 11 at 14:34










  • I'm trying to capture all enp5s0 traffic on tun0. Every packet received by enp5s0 should be forwarded to tun0`
    – Nikita Zeulin
    May 12 at 13:31
















  • What exactly are you trying to achieve?
    – ysdx
    May 11 at 14:34










  • I'm trying to capture all enp5s0 traffic on tun0. Every packet received by enp5s0 should be forwarded to tun0`
    – Nikita Zeulin
    May 12 at 13:31















What exactly are you trying to achieve?
– ysdx
May 11 at 14:34




What exactly are you trying to achieve?
– ysdx
May 11 at 14:34












I'm trying to capture all enp5s0 traffic on tun0. Every packet received by enp5s0 should be forwarded to tun0`
– Nikita Zeulin
May 12 at 13:31




I'm trying to capture all enp5s0 traffic on tun0. Every packet received by enp5s0 should be forwarded to tun0`
– Nikita Zeulin
May 12 at 13:31










1 Answer
1






active

oldest

votes

















up vote
0
down vote













Your in and out interfaces are reversed in the iptables command.



They should be:



sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT


and:



sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE





share|improve this answer





















  • I've tried yours and tcpdump -i tun0 is still empty
    – Nikita Zeulin
    May 9 at 13:55










  • What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
    – BrendanMcL
    May 9 at 22:45










  • Thanks for a link. The goal is to capture all enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
    – Nikita Zeulin
    May 11 at 12:39










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442760%2fcant-forward-traffic-from-eth-to-tun-tap%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













Your in and out interfaces are reversed in the iptables command.



They should be:



sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT


and:



sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE





share|improve this answer





















  • I've tried yours and tcpdump -i tun0 is still empty
    – Nikita Zeulin
    May 9 at 13:55










  • What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
    – BrendanMcL
    May 9 at 22:45










  • Thanks for a link. The goal is to capture all enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
    – Nikita Zeulin
    May 11 at 12:39














up vote
0
down vote













Your in and out interfaces are reversed in the iptables command.



They should be:



sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT


and:



sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE





share|improve this answer





















  • I've tried yours and tcpdump -i tun0 is still empty
    – Nikita Zeulin
    May 9 at 13:55










  • What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
    – BrendanMcL
    May 9 at 22:45










  • Thanks for a link. The goal is to capture all enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
    – Nikita Zeulin
    May 11 at 12:39












up vote
0
down vote










up vote
0
down vote









Your in and out interfaces are reversed in the iptables command.



They should be:



sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT


and:



sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE





share|improve this answer













Your in and out interfaces are reversed in the iptables command.



They should be:



sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT


and:



sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE






share|improve this answer













share|improve this answer



share|improve this answer











answered May 9 at 13:26









BrendanMcL

214




214











  • I've tried yours and tcpdump -i tun0 is still empty
    – Nikita Zeulin
    May 9 at 13:55










  • What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
    – BrendanMcL
    May 9 at 22:45










  • Thanks for a link. The goal is to capture all enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
    – Nikita Zeulin
    May 11 at 12:39
















  • I've tried yours and tcpdump -i tun0 is still empty
    – Nikita Zeulin
    May 9 at 13:55










  • What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
    – BrendanMcL
    May 9 at 22:45










  • Thanks for a link. The goal is to capture all enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
    – Nikita Zeulin
    May 11 at 12:39















I've tried yours and tcpdump -i tun0 is still empty
– Nikita Zeulin
May 9 at 13:55




I've tried yours and tcpdump -i tun0 is still empty
– Nikita Zeulin
May 9 at 13:55












What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45




What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45












Thanks for a link. The goal is to capture all enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
– Nikita Zeulin
May 11 at 12:39




Thanks for a link. The goal is to capture all enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
– Nikita Zeulin
May 11 at 12:39












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442760%2fcant-forward-traffic-from-eth-to-tun-tap%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?