iptables_tee_port_mirror
This is an old revision of the document!
Table of Contents
PCEngines APU2 - iptables tee / clone packets
From the manual: The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired.
If you don't have a switch with mirror / span ports, you can use iptables to clone the packets to another machine on the same subnet.
Overview
PC Engines APU2 +-------------------------------------------------------+ | -------- ------ ------ ------ [---] | | O \Serial/ |NIC1| |NIC2| |NIC3| [---] O O | | ------ ---|-- ---|-- ---|-- | +------------------|--------|--------|------------------+ 10.1.1.5/24 | | | | | / +-|--------|-+ / | Bridge | / | | 10.1.1.6/24 / | \ +-------------+ | \ | Monitor box | WAN LAN +-------------+
Debian 9 (stretch) example
- Install tools:
sudo apt install bridge-utils tcpdump
- NIC1 - Management interface:
allow-hotplug enp1s0 iface enp1s0 inet static address 10.1.1.5 netmask 255.255.255.0 gateway 10.1.1.1
- br0 - bridge:
allow-hotplug enp2s0 iface eth1 inet manual allow-hotplug enp3s0 iface eth2 inet manual auto br0 iface br0 inet manual bridge_ports enp2s0 enp3s0 bridge_stp on bridge_maxwait 0
- Create
tee
:modprobe br_netfilter iptables -t mangle -F iptables -t mangle -A PREROUTING -i br0 -j TEE --gateway 10.1.1.6
- Show mangle rules:
iptables -nvL -t mangle Chain PREROUTING (policy ACCEPT 52M packets, 81G bytes) pkts bytes target prot opt in out source destination 52M 81G TEE all -- br0 * 0.0.0.0/0 0.0.0.0/0 TEE gw:10.1.1.6
- Now you can monitor the traffic on the monitorbox with tcpdump, suricata, SELKS, Security Onion, etc.
iptables_tee_port_mirror.1514710367.txt.gz · Last modified: 2017/12/31 08:52 by admin