Create an NFQUEUE rule to match a local addresses destination in my raspberry pi router

Question

I'm working on a project to verify the source of each packet if its destination is one of several IPs on the LAN network. I'm interested in the LAN IPs, not the WAN.

I tried to create many matches like the following but nothing worked.

iptables -t nat -d <list of IPs> -A FORWARD -j NFQUEUE --queue-num 1

I have used the following rules to enable routing in my raspberry pi

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t nat -A POSTROUTING -o $eth -j MASQUERADE
sudo iptables -A FORWARD -i $eth -o $wlan -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i $wlan -o $eth -j ACCEPT

The question is where should I put the NFQUEUE rule?

-EDIT-

I have been told to enable proxy_arp, so that any local requests are being responded to by the raspberry pi router. I believe I have to set up the routing tables inside the raspberry pi, don't I?

Any thoughts will be appreciated.

---

Unfortunately, the Proxy ARP was not helpful in reaching my desired control on the ARP packets within the network. Anyway. I have seen a solution (OpenVPN client-to-client) but I did not implement it yet, I will back to this question to post if it did work or not.

Answer 1

When using netfilter, you have to understand how a packet flows throughout the kernel, i.e. which chains (similar to a 'road check point') it visits, and which kinds of processing it gets in each chain (referred to with the term table). Processing and chains are shown in this illustration, each box have the chain in its lower part and the processing type in the upper one. (You have to focus on the Network layer.) Depending on the packet path, only a subset of chains are involved: packets flowing through your raspberry will only goes through PREROUTING, FORWARD and POSTROUTING.

Having FORWARD chain, does not imply that it routes packets. You have to enable it using the command sysctl -w net.ipv4.ip_forward=1 (non persistent).

Moreover, as shown in the figure, there is no nat processing in the FORWARD chain, only mangle and filter, so the command

iptables -t nat -d <list of IPs> -A FORWARD -j NFQUEUE --queue-num 1

is incorrect.

Packet processing for each table/chain is actually driven by an ordered list of rules, the table, that you define with the iptables command. Each rule is made up of matching criteria and an action which depends on the table type (nfqueue is only allowed in filter tables, masquerade in nat tables, etc.)

Now, coming to nfqueue. We use such action when further processing of some packets is to be made outside the kernel, by a program you create yourself (see a python example here, for instance, in intrusion detection systems. Packets are put on a queue (identified with 16-bits number), processed then returned to the kernel to resume their flow at the next table/chain. (They can also be dropped in user space). In a common scenario, you'll typically want to send only accepted packets to userspace (those filtered are ignored at kernel level). You have to be careful about your exact needs, which are not yet clear. I'll try to give an example to explain how it works using your scenario:

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t nat -A POSTROUTING -o $eth -j MASQUERADE
sudo iptables -A FORWARD -i $eth -o $wlan -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-num 1
sudo iptables -A FORWARD -i $wlan -o $eth -j NFQUEUE --queue-num 1

This means that packets flowing between $eth and $wlan will be put on the same queue. You have to make sure that some program is handling queue no. 1 and ready to process packets.