Ben Stienstra

Linux, Unix, network, radio and more...

User Tools

Site Tools


iptables_tee_port_mirror

PCEngines APU2 - iptables tee / clone packets

From the manual: The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired.

If you don't have a switch with mirror / span ports, you can use iptables to clone the packets to another machine on the same subnet. That monitor box needs to be on the same layer 2 network, and it needs to be reachable by IP address.

Overview

 PC Engines APU2

+-------------------------------------------------------+
|    --------   ------   ------   ------ [---]          |
| O  \Serial/   |NIC1|   |NIC2|   |NIC3| [---]  O  O    |
|     ------    ---|--   ---|--   ---|--                |
+------------------|--------|--------|------------------+
       10.1.1.5/24 |      | |        | |
                   /      +-|--------|-+   
                  /         | Bridge |
                 /          |        |
    10.1.1.6/24 /           |         \
      +-------------+       |          \
      | Monitor box |      WAN         LAN
      +-------------+

Debian 9 (stretch) example

  • Install tools:
    sudo apt install bridge-utils tcpdump
  • NIC1 - Management interface:
    allow-hotplug enp1s0
    iface enp1s0 inet static
      address 10.1.1.5
      netmask 255.255.255.0
      gateway 10.1.1.1
  • br0 - bridge:
    allow-hotplug enp2s0
    iface eth1 inet manual
    
    allow-hotplug enp3s0
    iface eth2 inet manual
    
    auto br0
    iface br0 inet manual
        bridge_ports enp2s0 enp3s0
        bridge_stp on
        bridge_maxwait 0
  • Create tee:
    modprobe br_netfilter
    iptables -t mangle -F
    
    iptables -t mangle -A PREROUTING  -i br0 -j TEE --gateway 10.1.1.6
  • Show mangle rules:
    iptables -nvL -t mangle
    Chain PREROUTING (policy ACCEPT 52M packets, 81G bytes)
     pkts bytes target     prot opt in     out     source               destination         
      52M   81G TEE        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            TEE gw:10.1.1.6
  • Now you can monitor the traffic on the monitorbox with tcpdump, suricata, bro, SELKS, Security Onion, etc.
iptables_tee_port_mirror.txt · Last modified: 2017/12/31 10:17 by admin