In summary, I would like to have Tun device traffic forwarded
back and forth through another network interface that has internet
connection. While I can see the traffic going out to internet and coming back, it is not routed back to my Tun device.
Here's my setup:
I have a very simple setup using Mint Linux 15 VM under VirtualBox with Win7 as host.
Within the VM, there are two network interfaces – eth0 and tun0.
- eth0 interface is connected to the internet, and is assigned as 192.168.1.115/24.
-
tun0 interface is assigned as 10.0.5.1/24.
ip tuntap add dev tun0 mode tun user askldjd ip link set tun0 up ip addr add 10.0.5.1/24 dev tun0
I set up my iptables rule to masquerade all traffic going out through eth0.
iptables -I FORWARD -i tun0 -o eth0 -s 10.0.5.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
I tested the rule using a simple ping -I. So to some degree, my iptable rules are working.
ping -I 10.0.5.1 google.com
PING google.com (74.125.228.65) from 10.0.5.1 : 56(84) bytes of data.
64 bytes from iad23s07-in-f1.1e100.net (74.125.228.65): icmp_req=1 ttl=55 time=7.46 ms
My next step is to create a ICMP Request packet with src = 10.0.5.1, and dst = 74.125.228.6 (google.com). This was done through a tcpdump capture, so I know the packet fields/checksum are all valid. And I am sending this packet out to a raw IP socket using a very simple Python script.
- Python send_packet.py : http://pastebin.com/Xh5YgsAx
Before I run the python script, I set up tshark to monitor eth0 and tun0.
tshark -i eth0
tshark -i tun0
Then I run the script. From the tshark console, I can see the ICMP Request going out, and ICMP Reply coming back from google.
1811.947250 192.168.1.115 -> 74.125.228.6 ICMP 98 Echo (ping) request id=0x0990, seq=1/256, ttl=64
1811.955146 74.125.228.6 -> 192.168.1.115 ICMP 98 Echo (ping) reply id=0x0990, seq=1/256, ttl=55
And from the tun0 tshark window, I see nothing.
In my mind, since the ICMP Request packet is set as source = 10.0.5.1, I would expect that the IPTable to un-nat the ICMP Reply when it comes back. This is not happening.
So either my IPTables setup is incorrect, or I am simply misunderstanding the concept of the Tun device. Any guidance would be greatly appreciated.
I apologize if I misuse any terminology. I am a novice when it comes with networking.
Best Answer
Your main mistake is: assumption that such kind of traffic will be forwarded. This is not that case. This is outgoing, not forwarded traffic for VM perspective. ICMP replies come to eth0 and go up to protocol stack, thus, you can not see them on tun0 device. For futher details you can look here: https://serverfault.com/questions/554477/tap0-not-receiving-traffic/554698