Send all packets going out a specific interface to an nfqueue

Posted on

Send all packets going out a specific interface to an nfqueue – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, ubuntu, networking, iptables, .

In a testing environment, a process sends packets out a specific interface. I want be able to send all the packets going out said interface to an nfqueue. I can do this for incoming packets on the interface by doing something like:

iptables -t mangle -A PREROUTING -i eth0 -j NFQUEUE --queue-num 10

However, attempting to do the same thing on any of the outbound tables gives an error that the -i option is invalid. Is this possible to achieve and if so, how so?

Solution :

-i is for incoming packets.

Use -o for outgoing packets.

You can find an explanation in the manpage:

   [!] -i, --in-interface name
          Name of an interface via which a packet was received  (only  for
          packets  entering  the  INPUT,  FORWARD  and PREROUTING chains).
          When the "!" argument is used before  the  interface  name,  the
          sense  is  inverted.   If the interface name ends in a "+", then
          any interface which begins with this name will match.   If  this
          option is omitted, any interface name will match.

   [!] -o, --out-interface name
          Name of an interface via which a packet is going to be sent (for
          packets entering the FORWARD, OUTPUT  and  POSTROUTING  chains).
          When  the  "!"  argument  is used before the interface name, the
          sense is inverted.  If the interface name ends in  a  "+",  then
          any  interface  which begins with this name will match.  If this
          option is omitted, any interface name will match.

or in the output of iptables --help:

[!] --out-interface -o output name[+]
                network interface name ([+] for wildcard)

Leave a Reply

Your email address will not be published.