If I bring up a device alias like this: > sudo ifconfig eth0:test0 10.0.1.1 netmask 255.255.255.0 ...then use these few simple iptables rules: > sudo iptables --table nat --append POSTROUTING --out-interface eth0 \ > --src 10.0.1.0/24 --jump MASQUERADE > sudo iptables --table filter --append FORWARD --match conntrack \ > --ctstate NEW --src 10.0.1.0/24 ! --dst 10.0.1.0/24 --jump ACCEPT > sudo iptables --table filter --append FORWARD --match conntrack \ > --ctstate RELATED,ESTABLISHED --jump ACCEPT > sudo iptables --table filter --policy FORWARD DROP This gives me a working home router with nat/masquerading capability. All is good. But if instead of creating an alias with the ifconfig command, I instead use a TAP device opened up from some C++ code with the same 10.0.1.1/24 address, I don't see any traffic coming into the TAP interface. What I eventually want is to have a user-space C++ application that can examine traffic, and make decisions on what traffic to drop, modify packets, or packets to log. Then that C++ application sends the remaining packets on their way. Is it possible to use iptables for this? Thanks for any help or pointers. Stéphane -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
