0

I am inserting my network node between 2 legacy devices that exchange tcp and udp messages using dedicated ports, in both directions. My new node needs to push some tcp/udp messages through transparently, and intercept other tcp/udp messages for application-layer processing before sending on the processed messages. The diagram for this "man in the middle" like configuration is:

[ legacy1 ] -- [ mitm ] -- [ legacy2 ]

with these interfaces

  • legacy1 is at 192.168.1.2
  • legacy2 is at 192.168.1.3
  • mitm (left) is 192.168.1.3 for intercepted right-moving messages, and invisible for forwarded messages
  • mitm (right) is 192.168.1.2 for intercepted left-moving messages, and invisible for forwarded message

The MITM machine is running Ubuntu 16.04.

Would iptables be enough (at 3rd layer) although I want to bridge (at 2nd layer)? Would ebtables or nftables be better?

markm
  • 1
  • 1

1 Answers1

1

You are mentioning bridge (L2), but according to your diagram you are doing routing (L3), since it seems there are two same subnets (let's say 192.168.1.0/24), one including legacy1 and mitm-left, and one including legacy2 and mitm-right.

You probably need to ...

modify your setup

# create bridge between mitm-left and mitm-right
ip l a name br0 type bridge
ip l set br0 up
ip l set eth0 up
ip l set eth0 master br0
ip l set eth1 up
ip l set eth1 master br0

# add IP within the subnet that legacy1 and legacy2 is part of
ip a a 192.168.1.0/24 dev br0

# now ensure that netfilter works on the l2 bridge
modprobe br_netfilter
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

Last two lines are only one-off changes, you should make them permanent to ensure:

  • loading of br_netfilter kernel module on overy start
  • enabling bridge-nf-call capabilities in iptables (i.e. by echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.conf)

result

This setup allows netfilter part of linux kernel to filter/log/NAT rules on bridged traffic.

Now you can:

  • use iptables tool to set netfilter rules to handle/modify IPv4/IPv6 packets.
  • use ebtables tool to set netfilter rules to handle/modify any other frames.
  • use nftables tool to set netfilter rules (if your distro is sufficiently up-to-date).

As to your last question - since there is plenty of examples as well as support for iptables/ebtables, I would go with them. Nftables could bring to the table better performance, but I guess your setup is not performance-heavy scenario.

Halis
  • 217
  • 1
  • 9