Para ouvir especificamente o tráfego encaminhado, é melhor criar uma regra / interface nflog
.
Publicando despejos de tráfego no Linux
Você criará uma interface nflog
:
sudo iptables -t filter -I FORWARD -j NFLOG --nflog-group 6
e depois escute:
sudo tcpdump -s 0 -n -i nflog:6
The solution to the problem is to use the nflog interface in the iptables framework to get exactly the packets we are interested in.
nflog rules log to a kernel internal multicast group, which is identified by an integer in the 0 - 2^16-1 range. Only the part of the datagram that the framework sees will be captured. For iptables that is an IPv4 packet.
Using nflog to dump packets forces you to use a special interface syntax for tcpdump and wireshark. You must use nflog:groupnumber as interface.
Because nflog rules are normal iptables rules, the rules need a proper match and target part so you get exactly the traffic you want. You also must put the rule into the correct place for it to get the packets you're interested in.