ip – Netfilter_queue doesn’t load packages or adjustments to iptable don’t impact the routing

I attempted the entire day to obtain a NTP package deal inside my python script. For that I am attempting to utilize the scapy and netqueue_filter library, however I’m simply not ready to determine why the package deal will not be displaying up.

I can see how the ntp packages are routed by my native community. Listed below are the in accordance strains from tcpdump:

16:05:39.847140 enp33s0f2 P   IP 10.12.1.130.51872 > time2.google.com.ntp: NTPv4, Shopper, size 48
16:05:39.847147 vnet1 Out IP 10.12.1.130.51872 > time2.google.com.ntp: NTPv4, Shopper, size 48
16:05:39.847273 vnet0 P   IP pfsense.*****.native.32015 > time2.google.com.ntp: NTPv4, Shopper, size 48
16:05:39.879695 vnet0 Out IP time2.google.com.ntp > pfsense.*****.native.32015: NTPv4, Server, size 48
16:05:39.879822 vnet1 P   IP time2.google.com.ntp > 10.12.1.130.51872: NTPv4, Server, size 48
16:05:39.879827 enp33s0f2 Out IP time2.google.com.ntp > 10.12.1.130.51872: NTPv4, Server, size 48

in different phrases:

ntp-request: enp33s0f (My Wifi-AP) → vnet1 (br_lan/ earlier than firewall) → vnet0 (br_wan/ behind firewall)

ntp-response: the identical, simply backwards.

My host machine is between the WiFi-AP and the firewall. In whole it’s geared up with 4 bodily community playing cards.

The python code is fairly easy:

#!/usr/bin/env python3

from netfilterqueue import NetfilterQueue
from scapy.all import IP, UDP
import os

def process_packet(packet):
    # Get the IP layer from the packet
    ip = IP(packet.get_payload())

    # Print the packet particulars
    print(f"Packet obtained: {ip.src} -> {ip.dst}")

    # Settle for the packet (don't drop it)
    packet.settle for()

if __name__ == "__main__":
    # Test if operating as root
    if os.geteuid() != 0:
        print("You should run this script as root.")
        exit(1)

    # Arrange iptables to redirect NTP packets to NFQUEUE
    os.system('iptables -t uncooked -A PREROUTING -p udp --dport 123 -j NFQUEUE --queue-num 100')
    os.system('iptables -t uncooked -A OUTPUT -p udp --dport 123 -j NFQUEUE --queue-num 100')

    # Create a NetfilterQueue object and bind it to queue 100
    nfqueue = NetfilterQueue()
    nfqueue.bind(100, process_packet)

    attempt:
        print("Ready for NTP packets (Ctrl+C to cease)...")
        nfqueue.run()
    besides KeyboardInterrupt:
        print("nExiting...")
    lastly:
        nfqueue.unbind()
        # Clear up iptables guidelines
        os.system('iptables -t uncooked -F')

After “Ready for NTP packets (Ctrl+C to cease)…” the console stays fairly quiet, so I assume that the package deal is rarely obtained by the python script/ netfilter_queue will not be capable of choose it up.

I reckon that netfilter_queue will not be doing as it’s presupposed to or in all probability I have no idea easy methods to configure it accurately. I checked if the kernel modules are loaded and the response I bought appeared fantastic:

(base) jrz@vmhost0:/boot$ lsmod | grep nfnetlink_queue
nfnetlink_queue        28672  1
nfnetlink              20480  9 nfnetlink_queue,nft_compat,nfnetlink_cttimeout,nf_conntrack_netlink,nf_tables,nfnetlink_log
(base) jrz@vmhost0:/boot$ cat config-6.8.0-45-generic | grep NFQUEUE
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
(base) jrz@vmhost0:/boot$ sudo modprobe nfnetlink_queue
(base) jrz@vmhost0:/boot$ 

I’m utilizing kubuntu as working system.

Thanks prematurely. Any assistance is appreciated.