Stéphane Charette a écrit : > If I bring up a device alias like this: > >> sudo ifconfig eth0:test0 10.0.1.1 netmask 255.255.255.0 > > ...then use these few simple iptables rules: > >> sudo iptables --table nat --append POSTROUTING --out-interface eth0 \ >> --src 10.0.1.0/24 --jump MASQUERADE >> sudo iptables --table filter --append FORWARD --match conntrack \ >> --ctstate NEW --src 10.0.1.0/24 ! --dst 10.0.1.0/24 --jump ACCEPT >> sudo iptables --table filter --append FORWARD --match conntrack \ >> --ctstate RELATED,ESTABLISHED --jump ACCEPT >> sudo iptables --table filter --policy FORWARD DROP > > This gives me a working home router with nat/masquerading capability. IIUC, this acts as a "stub" router routing between two networks on the same interface. Correct ? > But if instead of creating an alias with the ifconfig command, I > instead use a TAP device opened up from some C++ code with the same > 10.0.1.1/24 address, I don't see any traffic coming into the TAP > interface. How do you send trafic through the TAP interface ? > What I eventually want is to have a user-space C++ application that > can examine traffic, and make decisions on what traffic to drop, > modify packets, or packets to log. Then that C++ application sends > the remaining packets on their way. Is it possible to use iptables > for this? You may want to check the QUEUE and NFQUEUE targets. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
