Use Netfilter to forward packets between two network devices

0
votes

I am working on a kernel module that will be used in a standalone firewall unit. The basic structure of the network will, I assume, be:

LAN <---> Gateway <---> Firewall <---> Internet

The firewall itself has no DHCP server. It has two network interface cards, eth0 which is connected to the internet and eth1 which is connected to the gateway. The gateway will be configured to by default forward outgoing packets to the firewall, I'm assuming this is possible as well.

I am in the process of writing the kernel module using the Netfilter kernel library and I need a way to forward (or not) packets between the two network interfaces. Will setting up a bridge work? I'm more of a programmer and less of a network engineer, so I'm sort of at a loss here. How should this work?

1
clinuxmodulekernelnetfilter
Are you thinking of a network bridge or are you going to translate between network a and network b? Also, what you actually tried?Ahmed Masud
I need to forward messages between two ethernet interfaces. Messages received on eth0 are sent to eth1, messages received from eth1 are sent to eth0. Do I need to write code in my kernel module to handle this, or can I use something like a bridge to handle this for me?Blake Beaupain
Do you really need to write a custom kernel module for this? It looks like a very basic thing to just use iptables to setup (googling "linux router howto" brings up a bunch of results)Jon Lin
IPTables is not close to being scalable enough for this project.Blake Beaupain
It's not clear what form the forwarding should take - should this be at the ethernet layer? If so, have you even looked at the brctl manpage and maybe some articles on bridging? If it's at the IP layer, exactly what feature is the kernel's IP forwarding support missing that you need? Also, what exactly do you mean by "not close to being scalable enough"? Scalable in what way?pmdj

1 Answers

0
votes

iptables is the userland interface to the Netfilter engine. if you say that "iptables won't escalate enough for your project” you are saying that Netfilter is not for your project… I think you do not have to code anything, you just have to learn iptables; yes I know, it isn’t easy ;-)