Network bridge and disappearing packets after the “mangle†table
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
TLDR: I setup a system for intercepting packets, and found that while using a network bridge, packets would disappear after the "mangle" table's PREROUTING chain, failing to hit rules in the "nat" table.
So I'll do my best to give my understanding of Linux packet flow, and the setup that is causing the issues. I can provide log output as needed, but this description should be sufficient to get the setup across.
First. my understanding of packet flow is based off this Linux Netfilter packet flow diagram.
In my setup, I have a standard network bridge that is transferring packets from one Ethernet interface to another (packet forwarding enabled in the system, obviously), this part works as expected. However, I need to NAT certain packets, so I've applied the ebtables "redirect to DROP" trick to cause certain packets to be parsed by iptables, even when the packet is destined for a completely different system. I've confirmed that these packets will get parsed successfully by the PREROUTING chains in both the "raw" and "mangle" tables (confirmed via the LOG target), but the "nat" table's PREROUTING chain will never see the packet. I see no errors in syslog, I have no indication of where this packet is going, or why the "nat" table can never see it.
Based on what I know, the route the packet takes should be straightforward, where the flow should be broute:BROUTING->raw:PREROUTING->conntrack->mangle:PREROUTING->nat:PREROUTING. Everything but that last step works as expected, and I've so far been unable to even begin to debug why "nat:PREROUTING" rules do not even see any of the redirected packets.
Is my understanding of netfilter packet flow off, or is there some caveat about network bridges and iptables interaction that I am missing?
Thank you!
iptables bridge netfilter
asked 27 mins ago
TheTwitchy
1
New contributor
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
0
down vote
favorite
TLDR: I setup a system for intercepting packets, and found that while using a network bridge, packets would disappear after the "mangle" table's PREROUTING chain, failing to hit rules in the "nat" table.
So I'll do my best to give my understanding of Linux packet flow, and the setup that is causing the issues. I can provide log output as needed, but this description should be sufficient to get the setup across.
First. my understanding of packet flow is based off this Linux Netfilter packet flow diagram.
In my setup, I have a standard network bridge that is transferring packets from one Ethernet interface to another (packet forwarding enabled in the system, obviously), this part works as expected. However, I need to NAT certain packets, so I've applied the ebtables "redirect to DROP" trick to cause certain packets to be parsed by iptables, even when the packet is destined for a completely different system. I've confirmed that these packets will get parsed successfully by the PREROUTING chains in both the "raw" and "mangle" tables (confirmed via the LOG target), but the "nat" table's PREROUTING chain will never see the packet. I see no errors in syslog, I have no indication of where this packet is going, or why the "nat" table can never see it.
Based on what I know, the route the packet takes should be straightforward, where the flow should be broute:BROUTING->raw:PREROUTING->conntrack->mangle:PREROUTING->nat:PREROUTING. Everything but that last step works as expected, and I've so far been unable to even begin to debug why "nat:PREROUTING" rules do not even see any of the redirected packets.
Is my understanding of netfilter packet flow off, or is there some caveat about network bridges and iptables interaction that I am missing?
Thank you!
iptables bridge netfilter
asked 27 mins ago
TheTwitchy
1
New contributor
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Also worth mentioning that rp_filtering does nothing to change this behavior.
– TheTwitchy
19 mins ago
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
TLDR: I setup a system for intercepting packets, and found that while using a network bridge, packets would disappear after the "mangle" table's PREROUTING chain, failing to hit rules in the "nat" table.
So I'll do my best to give my understanding of Linux packet flow, and the setup that is causing the issues. I can provide log output as needed, but this description should be sufficient to get the setup across.
First. my understanding of packet flow is based off this Linux Netfilter packet flow diagram.
In my setup, I have a standard network bridge that is transferring packets from one Ethernet interface to another (packet forwarding enabled in the system, obviously), this part works as expected. However, I need to NAT certain packets, so I've applied the ebtables "redirect to DROP" trick to cause certain packets to be parsed by iptables, even when the packet is destined for a completely different system. I've confirmed that these packets will get parsed successfully by the PREROUTING chains in both the "raw" and "mangle" tables (confirmed via the LOG target), but the "nat" table's PREROUTING chain will never see the packet. I see no errors in syslog, I have no indication of where this packet is going, or why the "nat" table can never see it.
Based on what I know, the route the packet takes should be straightforward, where the flow should be broute:BROUTING->raw:PREROUTING->conntrack->mangle:PREROUTING->nat:PREROUTING. Everything but that last step works as expected, and I've so far been unable to even begin to debug why "nat:PREROUTING" rules do not even see any of the redirected packets.
Is my understanding of netfilter packet flow off, or is there some caveat about network bridges and iptables interaction that I am missing?
Thank you!
iptables bridge netfilter
asked 27 mins ago
TheTwitchy
1
New contributor
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
TLDR: I setup a system for intercepting packets, and found that while using a network bridge, packets would disappear after the "mangle" table's PREROUTING chain, failing to hit rules in the "nat" table.
So I'll do my best to give my understanding of Linux packet flow, and the setup that is causing the issues. I can provide log output as needed, but this description should be sufficient to get the setup across.
First. my understanding of packet flow is based off this Linux Netfilter packet flow diagram.
In my setup, I have a standard network bridge that is transferring packets from one Ethernet interface to another (packet forwarding enabled in the system, obviously), this part works as expected. However, I need to NAT certain packets, so I've applied the ebtables "redirect to DROP" trick to cause certain packets to be parsed by iptables, even when the packet is destined for a completely different system. I've confirmed that these packets will get parsed successfully by the PREROUTING chains in both the "raw" and "mangle" tables (confirmed via the LOG target), but the "nat" table's PREROUTING chain will never see the packet. I see no errors in syslog, I have no indication of where this packet is going, or why the "nat" table can never see it.
Based on what I know, the route the packet takes should be straightforward, where the flow should be broute:BROUTING->raw:PREROUTING->conntrack->mangle:PREROUTING->nat:PREROUTING. Everything but that last step works as expected, and I've so far been unable to even begin to debug why "nat:PREROUTING" rules do not even see any of the redirected packets.
Is my understanding of netfilter packet flow off, or is there some caveat about network bridges and iptables interaction that I am missing?
Thank you!
iptables bridge netfilter
iptables bridge netfilter
asked 27 mins ago
TheTwitchy
1
New contributor
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 27 mins ago
TheTwitchy
1
New contributor
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 27 mins ago
TheTwitchy
1
New contributor
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 27 mins ago
TheTwitchy
1
asked 27 mins ago
TheTwitchy
1
1
New contributor
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
TheTwitchy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Also worth mentioning that rp_filtering does nothing to change this behavior.
– TheTwitchy
19 mins ago
add a comment |Â
Also worth mentioning that rp_filtering does nothing to change this behavior.
– TheTwitchy
19 mins ago
Also worth mentioning that rp_filtering does nothing to change this behavior.
– TheTwitchy
19 mins ago
Also worth mentioning that rp_filtering does nothing to change this behavior.
– TheTwitchy
19 mins ago
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
TheTwitchy is a new contributor. Be nice, and check out our Code of Conduct.
TheTwitchy is a new contributor. Be nice, and check out our Code of Conduct.
TheTwitchy is a new contributor. Be nice, and check out our Code of Conduct.
TheTwitchy is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f478345%2fnetwork-bridge-and-disappearing-packets-after-the-mangle-table%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Also worth mentioning that rp_filtering does nothing to change this behavior.
– TheTwitchy
19 mins ago