How to forward traffic through Linux box except requests to the box itself?

Adam J. Kessel

5/21/24, 11:06 PM

I have an Ubuntu box with IP forwarding enabled and a very simple iptables configuration to allow all packets from within the LAN to be forwarded:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -I FORWARD -s 192.168.4.0/24 -j ACCEPT

This works fine, except the SMB shares on the box no longer work, presumably because the packets that end with the box itself as a destination are also being forwarded.

Is there a simple solution so that any TCP connection requests to the box itself will not be forwarded, only requests to external IP addresses?

1 + 1

ubuntu

iptables

samba

port-forwarding

forwarding

SHawarden

5/21/24, 11:42 PM

Apply only if the destination address (`-d`) is the modem/router? Something like `/sbin/iptables -I FORWARD -s 192.168.4.0/24 -d 192.168.4.1 -j ACCEPT` maybe? https://serverfault.com/a/140626/486251

Score:2

Server

Gal Weiss

5/22/24, 12:47 AM

The FORWARD chain is only called for traffic that was forwarded, IE - the local machine is not its destination, so your rule doesn't have any effect on this kind of traffic, the place you should be looking for the problem is the INPUT chain, which handles traffic that is aimed for the local machine itself.

use the -S command or -L to query the INPUT chain:

iptables -S INPUT

look for the chain policy (starts with -P) and see if this is a drop or accept policy, if this is a drop policy you may need to change it or add an explicit rule to allow SAMBA in. This rule would probably do the work:

iptables -A INPUT -p tcp --dport 445 -j ACCEPT

see this guide for a few examples how to do it

+ 2

Adam J. Kessel

5/22/24, 6:40 PM

Thanks! On further testing, it appears this must be a problem with the Apple TV app that is attempting to access the SMB share. I switched my iPhone to use this Linux box as a router and it is able to access both the Internet via forwarding packets and files on the Linux box SMB share. The same thing isn't working on Apple TV on the same LAN, so it seems the problem must be with the Apple TV device or app, rather than with the Linux box.

Gal Weiss

5/23/24, 11:59 AM

@AdamJ.Kessel my guess would be that the apple tv using using some discovery protocol that is currently blocked, as a test, just try to let any traffic from it access the linux box and see if that solves the problem. if it does - you can use tcpdump to see what kind of traffic is sent from the apple tv to the linux box

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to forward traffic through Linux box except requests to the box itself?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.