Friday, 31 May 2019

networking - Iptables rules seem to be missing packets?

On my home network (192.168.1.0/24), I am trying to use iptables to silently clone all wifi TCP/UDP traffic to/from my Xbox One to my Windows 10 desktop, for packet sniffing via Wireshark.


Due to locational constraints limiting ethernet connections, I'm attempting to do this via two wireless access points that share one network, with their LAN ports being the only Ethernet connection in the setup: |<--[Ethernet To Cable Modem] | \ \ \ | \ \ \ | \ \ \ | _________________________ \ \ \ └--| NETGEAR R6260 | | | | | SSID: TheNewNetwork(5G) | | | | | stock firmware, gateway | | | | ┌--|_192.168.1.1_____________| | | | | ________________________ / / / | ╙|_ PRINTER 192.168.1.14__|/ / / | ________________________/ / / | ╙|_ AMAZON 192.168.1.15__/| / / | ______________________/_ / / | ╙|_ AMAZON 192.168.1.16___| / | _____________________________ | ╙|_ DESKTOPWIN10 192.168.1.10__| | __________________________ | ╙|_ Nexus-5X 192.168.1.13___| | ___________________________ | ╙|_ GALAXY-S8 192.168.1.17___| | | | \ \ \ | \ \ \ | _______________________ \ \ \ └--| LINKSYS E2500 | | | | | SSID: TheOtherNetwork | | | | | Tomato w/ iptables | | | | |_192.168.1.2___________| | | | ________________________/ / / ╙|_ XBOXONE 192.168.1.12_/_|/ / / / /


The Linksys E2500 has been flashed with Tomato V1.28 (build 140) and is running the iptables framework. DHCP and NAT are off. The Xbox connected to its unsecured wireless access point (SSID: TheOtherNetwork).


Everything else is on the WPA2-secured Netgear wireless (SSID: TheNewNetwork), per usual. The Linksys IP (192.168.1.2) is static, and the Windows (192.168.1.10) and Xbox (192.168.1.12) IPs are assigned by DHCP reservation on the Netgear, which also assigns non-reserved DHCP addresses to everything else (printer, Amazon Fire TV Sticks [x2], smartphones), and handles the NAT for WAN-bound traffic. This network arrangement seems to work flawlessly for all "normal" use cases.


Originally, I thought I could just throw in some packet cloning iptables rules on the Linksys that match on the Xbox's IP, like: iptables -A PREROUTING -t mangle -s 192.168.1.12 -j ROUTE --gw 192.168.1.10 --tee iptables -A PREROUTING -t mangle -d 192.168.1.12 -j ROUTE --gw 192.168.1.10 --tee ...but finding very few Xbox packets in my Wireshark feed, I decided to dig more into if the rules (that were meant to catch all Xbox traffic) were even getting triggered/matched (since that needs to happen before the ROUTE target even comes into play to get packets to Windows/Wireshark).


So, to get a full packet-triggering-debugging snapshot, I setup similarly-triggered rules for each IP address on the network, with a simple -j ACCEPT target, and with a "catch all" rule at the end of the chain that should trigger no matter what. Then I fired up the Xbox and played a minute or so of an online first-person shooter (which worked fine as far as I could tell from the Xbox).


After a minute, this is what I got from the iptables rule list summary: root@E2500-Host:/# iptables -t mangle -vnL PREROUTING Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 68 ACCEPT all -- * * 192.168.1.12 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.12 408 60499 ACCEPT all -- * * 192.168.1.10 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.10 0 0 ACCEPT all -- * * 192.168.1.1 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.1 0 0 ACCEPT all -- * * 192.168.1.13 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.13 1 351 ACCEPT all -- * * 192.168.1.14 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.14 0 0 ACCEPT all -- * * 192.168.1.15 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.15 0 0 ACCEPT all -- * * 192.168.1.16 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.16 1 344 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0


WHAT?!? One measly packet from the Xbox? I was playing an online first person shooter for a solid minute, with dozens of real-world opponent's positions updated from the server many times per second. (I've read enough on this particular game to expect UDP for this exchange.) There MUST BE more traffic than that between 192.168.1.12 and the outside world, and it MUST BE getting handled by the Linksys router that is running iptables, since the Xbox is only connected to the internet via the Linksys unsecured access point, TheOtherNetwork.


As a possibly-related side note: Other oddities include 0 triggered packets for any inbound traffic to any local IP (although maybe not unexpected for the non-Xbox devices on the other access point), and the fact that it caught so many outbound packets from the Windows desktop, 192.168.1.10 (which again, isn't on the Linksys SSID, so I might not have expected the Linksys to see these).


How is it possible iptables is missing the Xbox packets that allowed the fast-paced online game to function?

No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...