Posted: Fri Mar 27, 2009 10:02 Post subject: [ger/eng] iptables "clone" packets for logging
[ger]
Hi,
ich bin neu auf dem Gebiet IPTables und hoffe jmd. hier kann mir helfen.
Ich habe "DD-WRT v23 sp1" auf meinem LinkSys Router laufen und möchte den Traffic der von meinen Clients über Port 5190 geht analysieren.
Ich weiß nicht genau ob IPTables mit weiterhelfen kann aber ich stelle mir folgendes vor:
Alle Pakete die über diesen Port, von meinem Router ins Internet geschickt werden, sollen als "kopie" an meinen Server (im Lan) weitergereicht werden da dieser die Pakete mit hilfe von PCAP analysieren soll.
Dafür müsste also eine "kopie" des Pakets erstellt werden und die Destination-IP von meinem Server bekommen und dann geroutet werden, wenn ich das richtig verstehe.
Natürlich sollen auch alle eingehenden Pakete auf dem Port an meinem Server weitergereicht werden.
Kann mir da jmd. helfen oder evtl. erklären ob das mit IPTables überhaupt möglich ist ?
Weitere Infos stelle ich natürlich gerne zur verfügung ;)
schonmal danke im vorraus
lg z.c
[eng]
Hi,
i'am new to IPTables and hope someone can help me.
I have "DD-WRT v23 sp1" on my LinkSys Router and want to analyse the Traffic thats going over Port 5190.
I don't know if IPTables is the right thing to use but, I think it has to work like this:
All Pakets that are send to the Internet over this Port have to be "copied" and send to my Server (in the Lan) so that he can analyse them with PCAP.
Therefor the Paket has to be "copied" and the Destination-IP (of the "copied" Paket) has to be modified to the one of my Server. If I got that right
Of course the incoming Pakets (from the Internet) have to be "copied to my Server" as well.
So I hope someone could help me or at last tell me if this is possible with IPTables.
If someone needs some additional Information, just ask ;)
Joined: 13 Jul 2007 Posts: 48 Location: Martinez, CA
Posted: Fri Mar 27, 2009 14:26 Post subject:
Hi,
I'm not sure about using iptables for this, but may want to consider tcpdump. I used it successfully with V23 SP1 some time ago.
You'll need external storage for the output and for installing tcpdump. The fastest approach may be to use dd-wrt's Samba client to mount a remote share. Next install the tcpdump package. If the standard ipkg doesn't work try installing the Optware version.
Once tcpdump is successfully installed you should be able to capture packets from any interface on the router.
Thanks for this Hint I've allready installed TCPDump It works great but the Skript for analysing the Pakets is written in perl and I don't think I can run this complex Skript on DD-WRT because it has too many dependencies and needs too much CPU....
So I need a way to redirect all the Traffic to my Server, this way I can analyse the Pakets in realtime insted of using TCPDump on DD-WRT to Dump Packets into a File and then analyse the File with the Skript on my Server....
I've tried to pipe the TCPDump Raw-Packets trough SSH to the Skript on my Server but it didn't work well. So I need another solution
By the Way, here is the Link to a Thread on LinuxQuestions for redirecting TCPDump trough SSH:
http://www.linuxquestions.org/questions/showthread.php?t=709354
Here's a basic iptables rule to do it. If you have a vlan capable router (most are) then you should change the interfaces to some separated vlans. Also, since it's done with iptables this won't catch bridge traffic, only IP traffic will get copied.
