I installed openWRT distro on my router and enable support of avahi in it. My goal is to discover network services in my network.
I plugged my PC to LAN port with announced services. On router I run tcpdump on bridge interface : tcpdump -i br0 -vvn udp port 5353
During avahi browse execution i receive output:
root#localhost:~# avahi-browse -art
21:55:22.995004 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 74)
192.168.1.1.5353 > 224.0.0.251.5353: [udp sum ok] 0 PTR (QM)? _services._dns-sd._udp.local. (46)
But on my PC wireshark didn't show any multicast queries during that call, hence no services found.
Does it mean that router filter multicast packets somehow?
Only way that i know is to filter in ebtables, which shows nothing about filtering of mDNS addresses:
root#localhost:~# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-j RO_INPUT
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-j RO
Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-j IGMPPROXY
Bridge chain: RO, entries: 0, policy: RETURN
Bridge chain: RO_INPUT, entries: 0, policy: RETURN
Bridge chain: IGMPPROXY, entries: 4, policy: RETURN
-p IPv4 -o wl0.1 --ip-dst 239.0.0.0/8 -j DROP
-p IPv4 -o wl0.2 --ip-dst 239.0.0.0/8 -j DROP
-p IPv4 -o wl0.3 --ip-dst 239.0.0.0/8 -j DROP
-p IPv4 -o br0 --ip-dst 239.0.0.0/8 -j DROP
Where these multicast packets could be filtered/dropped?
I found that in my router snooping was enabled, which i think corresponds to IGMP snooping
After disabling it, multicast DNS queries reached destination and were show be wireshark.
Here what i've done (of course path could vary in different hardware and distro):
echo "0" > /proc/hwswitch/default/snooping
Related
I am trying to implement wireless access point on my embedded platform. I have implemented some parts like running wireless card as access point, dhcp server and some forwarding rules (via iptables).
I have tried several iptables commands. results of all are the same. The last one I decided to use is:
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
Access point runs successfully, clients can connect to it and get ip address. However there is DNS problem. Clients could not resolve the hostnames but they can connect via ip addresses.
DHCP configuration is as below:
interface wlan0
start 192.168.7.11
end 192.168.7.20
max_leases 10
option subnet 255.255.255.0
option router 192.168.7.1
#option dns 192.168.7.2 192.168.7.4
option domain local
option lease 864000
lease_file /conf/udhcpd.leases
#pidfile /tmp/udhcpd.pid
For this configuration, If I use 'option dns 8.8.8.8 8.8.4.4' I can resolve the problem but I need to use the dns of the network. Is there any way to forward the dns address 192.168.7.2 to the dns address of the wired network (eg. 192.168.0.2).
I could not find the DNS routing (eg. 192.168.7.2 to 192.168.0.2). But I have found a way to use the DNS address of the embedded platform on clients.
in DHCP server configuration, I used this option:
option dns 192.168.0.2 192.168.0.4 (conf file are generated when access point is started, so the dns addresses are obtained from the system )
after DHCP server is run, I have run these commands to forward dns addresses:
iptables -A FORWARD --in-interface eth1 -m tcp --sport 53 -j ACCEPT
iptables -A FORWARD --in-interface eth1 -m udp --sport 53 -j ACCEPT
I tried to filter layer 2 multicast packet (no IP header) generated by GOOSE protocol.
The commands below are used (ebtable and iptables) but did not work. Can anyone please give some advice?
I used ebtables because i readed that iptables can't open packet who dont have ip header (layer 3 minimum). The packet were sent from machine A to machine B (client/server software).
a. ebtables -A INPUT -j DROP
ebtables -A OUTPUT -j DROP
b. iptables -A INPUT -m pkttype --pky-type multicast -j DROP
iptables -A OUTPUT -m pkttype --pky-type multicast -j DROP
I tried all the commands above, but i can't stop my multicast packet (DROP was just used for test purpose)
Thank you in advanced...
For the one's who are in the same probleme in the future, i manage to resolve the probleme, first, you should now that iptables can't filter protocole who don't use ip header, so in my case, my protocole is layer 2 (like arp), the best tool for that is ebtables.
The DROP test that i already realise didn't work because i used ebatbles in a normale inerface, and this is a probleme for ebtables, he don't accept it, you should configure an bridge interface before using ebtables.
This the command i typed to creat bridge:
brctl addbr br0
brctl stp br0 off
brctl addif br0 eno16777736
ifconfig br0 10.0.0.131 netmask 255.255.255.0
ifconfig eno16777736 0 0.0.0.0
ip route add default via 10.0.0.1
ebtables -t broute -A BROUTING -j DROP
Hop this will help some one in the future
I have one linux box with 2 interfaces, wlan0 and wlan1. wlan0 connects to an external wlan AP of subnet 192.168.43.x. On wlan1 a softap is running on subnet 192.168.60.x.
I have run following commands to start nat and ip_forward:
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Another pc e6220 is connected to 192.168.60.x softap. I want to forward pc's traffic to external network 192.168.43.x.
network graph:
external AP (192.168.43.1) <~~~> {wlan0(192.168.43.2), <-- forward --> internal AP on wlan1(192.168.60.1)} <~~~> e6220 (192.168.60.46)
After adding route on pc, icmp and udp works fine, both can reach 192.168.43.1, but tcp doesn't work!
userg#e6220:~ $ ping 192.168.43.1
PING 192.168.43.1 (192.168.43.1) 56(84) bytes of data.
64 bytes from 192.168.43.1: icmp_seq=1 ttl=63 time=9.74 ms
64 bytes from 192.168.43.1: icmp_seq=2 ttl=63 time=9.57 ms
^C
user#e6220:~ $ telnet 192.168.43.1
Trying 192.168.43.1...
telnet: Unable to connect to remote host: Network is unreachable
Capture on linux box wlan1:
17:10:57.579994 IP 192.168.60.46.56412 > 192.168.43.1.telnet: Flags [S], seq 1764532258, win 29200, options [mss 1460,sackOK,TS val 2283575078 ecr 0,nop,wscale 7], length 0
17:10:57.580075 IP 192.168.60.1 > 192.168.60.46: ICMP net 192.168.43.1 unreachable, length 68
No packets seen on wlan0.
It's strange kernel says unreachable, but UDP works.
// route -n output
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.43.1 0.0.0.0 UG 0 0 0 wlan0
192.168.43.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
192.168.60.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1
I think this may be kernel-version specific. On Linux 3.4.x both tcp and udp are good. This issue is seen on Linux 3.10.61. I want to know if there's any way to fix it, kernel configuration or iptables command. Thanks!
Finally I got the solution.
The routing box is configured with CONFIG_IP_MULTIPLE_TABLES, which is policy routing. The routing rule is:
# ip rule list
0: from all lookup local
10000: from all fwmark 0xc0000/0xd0000 lookup legacy_system
13000: from all fwmark 0x10063/0x1ffff lookup local_network
15000: from all fwmark 0x0/0x10000 lookup legacy_system
16000: from all fwmark 0x0/0x10000 lookup legacy_network
17000: from all fwmark 0x0/0x10000 lookup local_network
23000: from all fwmark 0x0/0xffff uidrange 0-0 lookup main
32000: from all unreachable
So every packet goes to "unreachable". TCP turns good after adding following rules:
# ip rule add iif wlan0 table main
# ip rule add iff wlan1 table main
# ip rule list
0: from all lookup local
9998: from all iif wlan0 lookup main
9999: from all iif wlan1 lookup main
10000: from all fwmark 0xc0000/0xd0000 lookup legacy_system
13000: from all fwmark 0x10063/0x1ffff lookup local_network
15000: from all fwmark 0x0/0x10000 lookup legacy_system
16000: from all fwmark 0x0/0x10000 lookup legacy_network
17000: from all fwmark 0x0/0x10000 lookup local_network
23000: from all fwmark 0x0/0xffff uidrange 0-0 lookup main
32000: from all unreachable
But I still don't know why UDP is good before adding these 2 rules.
I am trying to nat an internal virtual network (adapter tun0 ip: 10.8.0.x - my vpn network) to the outer world (adapter venet0:0 ip xxx.xxx.xxx.xxx)
I am using the following iptables rule:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j SNAT --to xxx.xxx.xxx.xxx
For some reason iptables is not changing the outbound ip address:
tcpdump
08:23:17.863971 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 3887, seq 1264, length 64
netstat-nat
Proto NATed Address Destination Address State
udp 10.8.0.6:61339 google-public-dns-a.goo:domain UNREPLIED
Any ideas? What am I doing wrong?
(ip_forward is activated!)
check your iptables -t nat -nvL very carefully. Maybe there's a hidden MASQUERADE somewhere.
have a close look at the selectors, source(-s) and destination(-d). In my case my destination IP was different by one octet. I was expecting .5 and the traffic was destined to .6. like the rule was to SNAT ip xxx.xxx.5.xxx and the destination in the packets were xxx.xxx.6.xxx
I am trying to configure networking on QEMU malta mips, which is running on vmware host (ubuntu) using tap/tun device and bridge interface. My qemu guest is unable to retrieve ip address from DHCP server. If i give it manually, it can just connect with its host. Using tcpdump i came to know that outgoing traffic is working perfectly but incoming is not working.
Can anyone suggest me how to solve this kind of issue?
Thank You
If you use NAT mode, then your host machine will act as a router for your guest VM. This means you must enable routing on your host.
Assuming you start qemu and link it to tap0 interface and your outgoing internet interface is eth0, then you should:
Create the tap0 virtual interface:
tunctl -t tap0
ifconfig tap0 192.168.0.1 netmask 255.255.255.0 up
Activate routing
# activate ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Create forwarding rules, where
# tap0 - virtual interface
# eth0 - net connected interface
iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Start your VM with somenthing like this:
qemu [..] -net nic,model=e1000,vlan=0 -net tap,ifname=tap0,vlan=0,script=no
In your VM, configure an interface with ip 192.168.0.2/24 and default gateway 192.168.0.1
In NAT mode you can't achieve this. You need to configure VM in bridge mode and I hope you know the steps to configure it; if not see the link here ;
Step #2 of catalin.me's answer could be even simpler:
# activate ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
First two iptables rules are needed only in case if default policy for FORWARD chain is DROP.
E.g.:
iptables -P FORWARD DROP