r28072 build - Mirroring - Issue due to old Iptables version

Post new topic   Reply to topic    DD-WRT Forum Index -> X86 based Hardware
Author Message
dlaroche
DD-WRT Novice


Joined: 08 Mar 2015
Posts: 9

PostPosted: Thu Nov 05, 2015 22:14    Post subject: r28072 build - Mirroring - Issue due to old Iptables version Reply with quote
Hello all,

I am trying to do port mirroring with the x86 version of dd-wrt to send all traffic to a SIEM (OSSIM);

I found the following information as to mirror traffic to a device:
iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.21 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 10.0.0.21 --tee

When i display the mangle table:
iptables -t mangle -L -v -n
the table is empty.

After some research, i found out that the Iptable build that is used with the DD-wrt build (x86 & x86-64) is iptables v1.3.7.

My research led me also to find that --tee is not suppported in this version and that it would require iptables v1.4.9 at least.

Would it be possible to have a more recent version of iptable included in the next build to enable this functionality?

Thanks for your help.
Sponsor
johnlwebb
DD-WRT Novice


Joined: 08 Nov 2010
Posts: 8

PostPosted: Tue May 24, 2016 14:21    Post subject: tee extension for iptables Reply with quote
I too am looking for a way to do this. I currently run dd-wrt on a Linksys WRT 1900ACv2.
Router Model
Linksys WRT 1900ACv2
Firmware Version
DD-WRT v3.0-r29218 std (03/07/16)
Kernel Version
Linux 3.18.28 #67 SMP Sun Mar 6 02:41:18 CET 2016 armv7l

Apparently, this version does not support the tee command as after issuing the command to tee traffic, there are no errors but also no new routes get added.

I'm looking for a solution and thought I might just switch to a x86 based setup. But it looks like it might have the same problem.

I don't understand why something so fundamental to monitoring network traffic would be left out. Is it a memory issue?

Perhaps there is a better way to go about monitoring traffic to and from a device on the network. I'm open to any suggestions.

Please, if anyone knows how I can get a version with the tee extension for iptables going, please let me know.

I wonder if I can uninstall iptables from my router and install the latest version.

searching for answers...
chapeaurouge
DD-WRT Novice


Joined: 03 Jan 2015
Posts: 40

PostPosted: Sat Jun 04, 2016 12:46    Post subject: Reply with quote
Hi,

I had some degree of success with the link below, but have since then cleared out to a new DDWRT firmware, and haven't tried again. However, I am now _again_ looking for port mirroring, and I still wonder why ddwrt is stuck at iptables 1.3.7. I am guessing bumping it up to 1.4.9 (at which the TEE module is supported).

http://elatov.github.io/2015/07/compile-iptables-tee-module-for-dd-wrt/

Let me know if you get it working Wink
gefranks
DD-WRT Novice


Joined: 15 Aug 2016
Posts: 1

PostPosted: Mon Aug 15, 2016 16:26    Post subject: Reply with quote
I hava an old ASUS RT-N16(mega rev 16773M) and it seems iptables -t mangle -I PREROUTING -s 192.168.1.249 -j ROUTE --tee --gw 192.168.1.2
is working and can be write into iptables
and the iptables is 1.3.7

but my ea6500 and ea6700 has no luck.

not sure if this feature is removed from source codes
excel4x
DD-WRT Novice


Joined: 24 Feb 2007
Posts: 25

PostPosted: Mon Aug 22, 2016 6:22    Post subject: iptables mirroring Reply with quote
I have seen this iptables example in several places:

iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.21 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 10.0.0.21 --tee

I tried it on a wrt54g router with r14929. The mirroring works, however, when I checked the traffic flow with wireshark, I am getting twice the traffic that I expect. I verified this using a hub to mirror traffic.

I am a novice with iptables - please correct my understanding... I think this duplication is because no interface or source/destination addresses are specified in the iptables commands. Effectively both PRE/POSTROUTING entries are being applied to each packet since each packet matches all conditions. Other similar posts in the forum include both PREROUTING and POSTROUTING, but they also specify source and destination addresses. This captures only traffic to a particular device. In such a case you would want both PRE/POSTROUTING entries to capture flows to/from that device.

So it seems to me that to capture all traffic, either the interface should be specified, or only one of the PREROUTING or POSTROUTING entries should be included. Just using the PREOUTING entry seems the simplest. Am I missing something?
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Thu Sep 01, 2016 8:54    Post subject: Reply with quote
TEE is supported as well, the problem is just that i do not include all modules required for it. normally just modules are included which are used by dd-wrt itself. but however. on x86/x64 i may include everything since there is enough space for it. gimme some days for it
_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
cytec
DD-WRT Novice


Joined: 10 Aug 2008
Posts: 16

PostPosted: Sat Feb 18, 2017 3:58    Post subject: Reply with quote
BrainSlayer wrote:
TEE is supported as well, the problem is just that i do not include all modules required for it. normally just modules are included which are used by dd-wrt itself. but however. on x86/x64 i may include everything since there is enough space for it. gimme some days for it


Any chance of getting the TEE module in a current version of DD-WRT x86?

It's not present in the latest beta:

http://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2017/02-07-2017-r31277/x86/dd-wrt-webupgrade_full_vga.bin
reinerka
DD-WRT Novice


Joined: 18 Jan 2018
Posts: 5

PostPosted: Thu Jan 18, 2018 20:28    Post subject: Reply with quote
Any chance this could be changed to include this by default? I've switched from my OEM firmware to dd-wrt to use mirroring (so I can use BriarIDS for network monitoring).

Rebuilding releases with this enabled is going to be a big hassle.....

Reiner
reinerka
DD-WRT Novice


Joined: 18 Jan 2018
Posts: 5

PostPosted: Thu Jan 18, 2018 20:30    Post subject: Reply with quote
Any chance this could be changed to include this by default? I've switched from my OEM firmware to dd-wrt to use mirroring (so I can use BriarIDS for network monitoring).

Rebuilding releases with this enabled is going to be a big hassle.....

Reiner
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> X86 based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum