0

There are plenty of examples on here of how to forward ip traffic on a linux machine, and a few examples of how to forward traffic from one interface to another. However, most of the latter examples concern themselves with connecting one machine to the internet - I have an FPGA connected to a windows machine with a Redhat box as an intermediary.

The FPGA spits out data into eth 0 of the redhat box, which I then want to forward to the windows machine on eth 1. Both the FPGA and the windows box are on different subnets, and the redhat machine is being used because the fpga has a 40G line coming out of it and the windows machine doesn't have a 40G card (the data rates for this particular case are low enough that the 40G line isn't anywhere close to necessary - it shouldn't overflow the 1G line out on eth1). I have tried this (to no avail):

sudo iptables -t nat -A POSTROUTING -d <windows ip> --out-interface eth1 -j MASQUERADE  
sudo iptables -A FORWARD -d <fpga's ip> --in-interface eth0 -j ACCEPT

I have already modified sysctl to allow forwarding via ipv4.

If I open the floodgates and tell the redhat machine to send everything it gets on eth0 to eth1, it sends out some sort of mDNS query on eth1 and doesn't end up forwarding anything... I'm using wireshark to look at traffic on the redhat box.

I'm not a networking guy, so an explanation of what I'm doing/not doing would be appreciated.

Thanks.

EDIT: Maybe I need to clarify one point: the FPGA packets' destination ip is not the windows machine; it is the redhat box. I want redhat to send a copy of the packet to windows.

UPDATE:

After a bit of poking around; I found the answer: the MAC Address of the FPGA and the mac address of the redhat 40G card were not synced properly. Fixing this solved my problem.

scs675
  • 3
  • 3

1 Answers1

0

First thing: do you need NAT? For now, we can assume that you need it, otherwise you can skip the first iptables command that you issued and configure a static route (or, perhaps, configure the default route for Windows thru the RedHat box). Otherwise, the first rule is correct.

On the second command: you added a rule to "accept" forwarding inbound traffic from eth0 to the FPGA IP address, which I think is wrong, because the traffic is from the FPGA, so the command is something like:

$ sudo iptables -A FORWARD -s <FPGA's ip> -i eth0 -j ACCEPT

Then, you need a rule that allows the traffic to flow in the opposite direction:

$ sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Also, you should see if appending (-A) the rule is correct (eg. if there are some other rules that can interfere). You can see the current configuration with iptables -vnL FORWARD. Remember that rules are evaluated from the first one to the last one: the first match wins.

PS: I suggest you to add a rule to allow ICMP ping in order to debug network/routing problems:

$ sudo iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
$ sudo iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
  • No dice. I have: sudo sysctl -w net.ipv4.ip_forward=1 sudo sysctl -w net.ipv4.conf.enp7s0f0.rp_filter=0 sudo sysctl -w net.ipv4.conf.ens4f0.rp_filter=0 sudo sysctl -p sudo iptables -t nat -A POSTROUTING -d --out-interface enp7s0f0 -j MASQUERADE sudo iptables -A FORWARD -s -i ens4f0 -j ACCEPT sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Wireshark cant see any traffic going outbound to windows. I see the fpga sending packets on the first interface, but no traffic on the second interface(from redhat). I can ping the windows machine just fine. – scs675 May 01 '18 at 15:59
  • Do you have any other firewall rule prior these? Check also in other tables (`nat`, `mangle`, `raw`). Also, do you have any route with `unreachable` or `blackhole` target in `ip route show`? –  May 02 '18 at 07:21