0

I am trying to receive packets from the local network, including specifically broadcast and multicast on device B, which is connected to the local network though device A which is acting as a router with iptables.

In other words, I am trying to receive broadcast and multicast packets from the network on device A, and forward them to another network connected to another NIC on device A to device B.

This is currently working with unicast packets, but is not working with broadcast and multicast packets. As this is forwarding to another subnet the relevant RFC document appears to state it is not standard behavior.

Here is a relevant portion from the iptables rules, as you can see from the comments the service I'm trying to receive these packets from is EtherNet/IP:

# Allow EthernetIP traffic via external ethernet or wifi interfaces.
for ifc in $ETHEXT $WIFI; do
    iptables -A INPUT -p udp -i $ifc --dport 2222 -m conntrack --ctstate NEW
    iptables -A INPUT -p udp -i $ifc --dport 2222 -m conntrack --ctstate ESTABLISHED,RELATED
    # This seems to be able to be either a destination or souce port
    iptables -A OUTPUT -p udp -o $ifc --dport 2222 -m conntrack --ctstate ESTABLISHED,RELATED

    iptables -A INPUT -p tcp -i $ifc --dport 44818 -m conntrack --ctstate NEW
    iptables -A INPUT -p tcp -i $ifc --dport 44818 -m conntrack --ctstate ESTABLISHED,RELATED
    # This being ESTABLISHED,RELATED means that you can't have a netcat listener on the device
    iptables -A OUTPUT -p tcp -o $ifc --dport 44818 -m conntrack --ctstate ESTABLISHED

    iptables -A INPUT -p udp -i $ifc --dport 44818 -m conntrack --ctstate NEW -j EXT_LOG_ACCEPT
    iptables -A INPUT -p udp -i $ifc --dport 44818 -m conntrack --ctstate ESTABLISHED,RELATED
    # This being ESTABLISHED,RELATED means that you can't have a netcat listener on the device
    iptables -A OUTPUT -p udp -o $ifc --dport 44818 -m conntrack --ctstate ESTABLISHED,RELATED
done

# EthernetIP packets
iptables -A FORWARD -t filter -i $ETHINT -p udp --dport 2222
iptables -A FORWARD -t filter -o $ETHINT -p udp --sport 2222
iptables -A FORWARD -t filter -i $ETHINT -p tcp --dport 44818
iptables -A FORWARD -t filter -o $ETHINT -p tcp --sport 44818
iptables -A FORWARD -t filter -i $ETHINT -p udp --dport 44818
iptables -A FORWARD -t filter -o $ETHINT -p udp --sport 44818

Here is an image of my network Topology if it helps.

Any thoughts on this?

APIUM
  • 1
  • 1

0 Answers0