Forward network traffic from one computer to another using iptables

Question

I have two computers on the same lan

Comp A: 192.1681.151.15
Comp B: 192.1681.151.19

The setup is like this

Internet <---->  Computer B
      ^-------->  Computer A 

Both computers have a single network card.

When I open Wireshark, for all traffic browsed on comp A, I would like Wireshark to capture traffic of comp A and destination address as the one to the server it is connecting too.

I have tried to understand iptables and other related questions, but somehow I still configure this wrongly.

I use the following iptable rules on comp B

   iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.151.19:443 
   iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.151.19:80 
   iptables -t nat -A POSTROUTING -j MASQUERADE

However when I browse traffic on comp B, I do not see any traffic on wireshark (running on comp A). Can someone please guide me how to configure this properly ?

Answer 1

These are really two questions, and I'm not sure that they are related.

1) If the computers are connected by ethernet LAN via a switch, and not WLAN, all traffic on the LAN is in principle visible to all devices connected to it. No need to do masquerading/forwarding or use any iptable rules. So just fire up Wireshark on any computer, say, computer B, and you should see the traffic from computer A to the router.

If that doesn't work, ping computer B from computer A. Then ping the router from computer A. If you don't see packets from the first ping, something with the Wireshark setup doesn't work correctly. If you only see packets from the first ping, and not from the second ping, the interface drops packets not intended for that computer for some reason, or something is filtering out packets, so check iptables on computer B etc.

Edit: What also can happen is that your router is not acting as a switch. I tested a bit and found I actually had one router where all 4 LAN ports appear as distinct devices, and are bridged (including WLAN) using a Linux kernel bridge. This kind of bridge keeps track of MAC addresses it has seen, and only forwards to the port where it has seen the destination MAC address. In this case, packets from the two computers can't be seen on the other machine.

Solutions: (a) Find some other ethernet switch and connect everything to it, or (b) use the gateway method.

2) If you want to use computer B as the gateway for computer A (which is not necessary to just obvserve traffic on ethernet LAN, but may be necessary e.g. for WLAN), you need to configure computer A to use computer B as the gateway. Very likely your "internet" in your setup is a home router, which acts as a DHCP server, assigns IP addresses to computer A and computer B, and tells them to use the router as a gateway. So use route or ip route to set the correct route on computer A. Make sure there are no other routes.

The following script works for me to set up forwarding (though maybe it's not optimal):

#!/bin/bash

# forward traffic on the same $IF for one particular $ADDR, acting as gateway

modprobe nf_conntrack
modprobe nf_conntrack_ipv4
modprobe nf_nat
modprobe iptable_nat  

IF="eth0"
ADDR="192.168.178.25"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT 
iptables -P FORWARD DROP
iptables -F FORWARD 
iptables -t nat -F
iptables -A FORWARD -i $IF -o $IF -d $ADDR -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF -o $IF -s $ADDR -j ACCEPT
iptables -t nat -A POSTROUTING -s $ADDR -j MASQUERADE