Can't forward traffic from eth to TUN/TAP
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm trying to forward traffic from a physical interface enp5s0 to a virtual one tun0. The goal is to make tun0 receive essentially all packets from enp5s0.
First, I enable forwarding with a command
sudo sysctl -w net.ipv4.ip_forward=1
Then I create tun0 by running
sudo ip tuntap add dev tun0 mod tun
I assign it IP-address and turn the device on:
sudo ifconfig tun0 10.1.8.5 netmask 255.255.255.0 promisc up
I want to make all packets go from enp5s0 to tun0, so I have to use iptables. I need to make a rule that allows forwarding from enp5s0 to tun0, so the command is
sudo iptables -A FORWARD --in-interface tun0 --out-interface enp5s0 -j ACCEPT
Then I enable NAT by running
sudo iptables -t nat -A POSTROUTING --out-interface enp5s0 -j MASQUERADE
tcpdump shows no traffic on tun0.
Also, I tried almost the same thing, but using TAP device. I created a bridge with brctl, added tap0 and enp5s0, but no packets were received by tap0 and everything was ok with enp5s0. Nothing like default gw 10.1.8.5 works in TUN case. Where is a mistake?
iptables vpn tunneling forwarding
asked May 9 at 13:10
Nikita Zeulin
1
add a comment |Â
up vote
0
down vote
favorite
I'm trying to forward traffic from a physical interface enp5s0 to a virtual one tun0. The goal is to make tun0 receive essentially all packets from enp5s0.
First, I enable forwarding with a command
sudo sysctl -w net.ipv4.ip_forward=1
Then I create tun0 by running
sudo ip tuntap add dev tun0 mod tun
I assign it IP-address and turn the device on:
sudo ifconfig tun0 10.1.8.5 netmask 255.255.255.0 promisc up
I want to make all packets go from enp5s0 to tun0, so I have to use iptables. I need to make a rule that allows forwarding from enp5s0 to tun0, so the command is
sudo iptables -A FORWARD --in-interface tun0 --out-interface enp5s0 -j ACCEPT
Then I enable NAT by running
sudo iptables -t nat -A POSTROUTING --out-interface enp5s0 -j MASQUERADE
tcpdump shows no traffic on tun0.
Also, I tried almost the same thing, but using TAP device. I created a bridge with brctl, added tap0 and enp5s0, but no packets were received by tap0 and everything was ok with enp5s0. Nothing like default gw 10.1.8.5 works in TUN case. Where is a mistake?
iptables vpn tunneling forwarding
asked May 9 at 13:10
Nikita Zeulin
1
What exactly are you trying to achieve?
– ysdx
May 11 at 14:34
I'm trying to capture allenp5s0traffic ontun0. Every packet received byenp5s0should be forwarded totun0`
– Nikita Zeulin
May 12 at 13:31
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm trying to forward traffic from a physical interface enp5s0 to a virtual one tun0. The goal is to make tun0 receive essentially all packets from enp5s0.
First, I enable forwarding with a command
sudo sysctl -w net.ipv4.ip_forward=1
Then I create tun0 by running
sudo ip tuntap add dev tun0 mod tun
I assign it IP-address and turn the device on:
sudo ifconfig tun0 10.1.8.5 netmask 255.255.255.0 promisc up
I want to make all packets go from enp5s0 to tun0, so I have to use iptables. I need to make a rule that allows forwarding from enp5s0 to tun0, so the command is
sudo iptables -A FORWARD --in-interface tun0 --out-interface enp5s0 -j ACCEPT
Then I enable NAT by running
sudo iptables -t nat -A POSTROUTING --out-interface enp5s0 -j MASQUERADE
tcpdump shows no traffic on tun0.
Also, I tried almost the same thing, but using TAP device. I created a bridge with brctl, added tap0 and enp5s0, but no packets were received by tap0 and everything was ok with enp5s0. Nothing like default gw 10.1.8.5 works in TUN case. Where is a mistake?
iptables vpn tunneling forwarding
asked May 9 at 13:10
Nikita Zeulin
1
I'm trying to forward traffic from a physical interface enp5s0 to a virtual one tun0. The goal is to make tun0 receive essentially all packets from enp5s0.
First, I enable forwarding with a command
sudo sysctl -w net.ipv4.ip_forward=1
Then I create tun0 by running
sudo ip tuntap add dev tun0 mod tun
I assign it IP-address and turn the device on:
sudo ifconfig tun0 10.1.8.5 netmask 255.255.255.0 promisc up
I want to make all packets go from enp5s0 to tun0, so I have to use iptables. I need to make a rule that allows forwarding from enp5s0 to tun0, so the command is
sudo iptables -A FORWARD --in-interface tun0 --out-interface enp5s0 -j ACCEPT
Then I enable NAT by running
sudo iptables -t nat -A POSTROUTING --out-interface enp5s0 -j MASQUERADE
tcpdump shows no traffic on tun0.
Also, I tried almost the same thing, but using TAP device. I created a bridge with brctl, added tap0 and enp5s0, but no packets were received by tap0 and everything was ok with enp5s0. Nothing like default gw 10.1.8.5 works in TUN case. Where is a mistake?
iptables vpn tunneling forwarding
asked May 9 at 13:10
Nikita Zeulin
1
asked May 9 at 13:10
Nikita Zeulin
1
asked May 9 at 13:10
Nikita Zeulin
1
asked May 9 at 13:10
Nikita Zeulin
1
1
What exactly are you trying to achieve?
– ysdx
May 11 at 14:34
I'm trying to capture allenp5s0traffic ontun0. Every packet received byenp5s0should be forwarded totun0`
– Nikita Zeulin
May 12 at 13:31
add a comment |Â
What exactly are you trying to achieve?
– ysdx
May 11 at 14:34
I'm trying to capture allenp5s0traffic ontun0. Every packet received byenp5s0should be forwarded totun0`
– Nikita Zeulin
May 12 at 13:31
What exactly are you trying to achieve?
– ysdx
May 11 at 14:34
What exactly are you trying to achieve?
– ysdx
May 11 at 14:34
I'm trying to capture all
enp5s0 traffic on tun0. Every packet received by enp5s0 should be forwarded to tun0`– Nikita Zeulin
May 12 at 13:31
I'm trying to capture all
enp5s0 traffic on tun0. Every packet received by enp5s0 should be forwarded to tun0`– Nikita Zeulin
May 12 at 13:31
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
Your in and out interfaces are reversed in the iptables command.
They should be:
sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT
and:
sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE
answered May 9 at 13:26
BrendanMcL
214
I've tried yours andtcpdump -i tun0is still empty
– Nikita Zeulin
May 9 at 13:55
What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45
Thanks for a link. The goal is to capture allenp5s0traffic ontun0. I have a program that reads packets fromtun0, spoofs them and send them back on wire. I've triedpingandtracerouteto test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
– Nikita Zeulin
May 11 at 12:39
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Your in and out interfaces are reversed in the iptables command.
They should be:
sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT
and:
sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE
answered May 9 at 13:26
BrendanMcL
214
I've tried yours andtcpdump -i tun0is still empty
– Nikita Zeulin
May 9 at 13:55
What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45
Thanks for a link. The goal is to capture allenp5s0traffic ontun0. I have a program that reads packets fromtun0, spoofs them and send them back on wire. I've triedpingandtracerouteto test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
– Nikita Zeulin
May 11 at 12:39
add a comment |Â
up vote
0
down vote
Your in and out interfaces are reversed in the iptables command.
They should be:
sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT
and:
sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE
answered May 9 at 13:26
BrendanMcL
214
I've tried yours andtcpdump -i tun0is still empty
– Nikita Zeulin
May 9 at 13:55
What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45
Thanks for a link. The goal is to capture allenp5s0traffic ontun0. I have a program that reads packets fromtun0, spoofs them and send them back on wire. I've triedpingandtracerouteto test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
– Nikita Zeulin
May 11 at 12:39
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Your in and out interfaces are reversed in the iptables command.
They should be:
sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT
and:
sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE
answered May 9 at 13:26
BrendanMcL
214
Your in and out interfaces are reversed in the iptables command.
They should be:
sudo iptables -A FORWARD --in-interface enp5s0 --out-interface tun0 -j ACCEPT
and:
sudo iptables -t nat -A POSTROUTING --out-interface tun0 -j MASQUERADE
answered May 9 at 13:26
BrendanMcL
214
answered May 9 at 13:26
BrendanMcL
214
answered May 9 at 13:26
BrendanMcL
214
answered May 9 at 13:26
BrendanMcL
214
214
I've tried yours andtcpdump -i tun0is still empty
– Nikita Zeulin
May 9 at 13:55
What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45
Thanks for a link. The goal is to capture allenp5s0traffic ontun0. I have a program that reads packets fromtun0, spoofs them and send them back on wire. I've triedpingandtracerouteto test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
– Nikita Zeulin
May 11 at 12:39
add a comment |Â
I've tried yours andtcpdump -i tun0is still empty
– Nikita Zeulin
May 9 at 13:55
What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45
Thanks for a link. The goal is to capture allenp5s0traffic ontun0. I have a program that reads packets fromtun0, spoofs them and send them back on wire. I've triedpingandtracerouteto test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.
– Nikita Zeulin
May 11 at 12:39
I've tried yours and
tcpdump -i tun0 is still empty– Nikita Zeulin
May 9 at 13:55
I've tried yours and
tcpdump -i tun0 is still empty– Nikita Zeulin
May 9 at 13:55
What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45
What are you trying to achieve? I have used these commands to set up a vpn over a tun device (which is why I know about the in/out order), however you would normally have something on the other side of the tun0 interface - either the other end of the vpn or a local application that opens the device. Just having the tun0 device with an ip address doesn't mean that traffic will flow - its like having an ethernet port with the cable unplugged. This might be useful: naturalborncoder.com/virtualization/2014/10/17/…
– BrendanMcL
May 9 at 22:45
Thanks for a link. The goal is to capture all
enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.– Nikita Zeulin
May 11 at 12:39
Thanks for a link. The goal is to capture all
enp5s0 traffic on tun0. I have a program that reads packets from tun0, spoofs them and send them back on wire. I've tried ping and traceroute to test the connection, and the thing is that there are some records on packet going though PREROUTE chain and that's all, packets are not being forwarded even if I make a rule and enable forwarding.– Nikita Zeulin
May 11 at 12:39
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442760%2fcant-forward-traffic-from-eth-to-tun-tap%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
What exactly are you trying to achieve?
– ysdx
May 11 at 14:34
I'm trying to capture all
enp5s0traffic ontun0. Every packet received byenp5s0should be forwarded totun0`– Nikita Zeulin
May 12 at 13:31