Posted: Thu Nov 05, 2015 22:14 Post subject: r28072 build - Mirroring - Issue due to old Iptables version
Hello all,
I am trying to do port mirroring with the x86 version of dd-wrt to send all traffic to a SIEM (OSSIM);
I found the following information as to mirror traffic to a device:
iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.21 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 10.0.0.21 --tee
When i display the mangle table:
iptables -t mangle -L -v -n
the table is empty.
After some research, i found out that the Iptable build that is used with the DD-wrt build (x86 & x86-64) is iptables v1.3.7.
My research led me also to find that --tee is not suppported in this version and that it would require iptables v1.4.9 at least.
Would it be possible to have a more recent version of iptable included in the next build to enable this functionality?
Posted: Tue May 24, 2016 14:21 Post subject: tee extension for iptables
I too am looking for a way to do this. I currently run dd-wrt on a Linksys WRT 1900ACv2.
Router Model
Linksys WRT 1900ACv2
Firmware Version
DD-WRT v3.0-r29218 std (03/07/16)
Kernel Version
Linux 3.18.28 #67 SMP Sun Mar 6 02:41:18 CET 2016 armv7l
Apparently, this version does not support the tee command as after issuing the command to tee traffic, there are no errors but also no new routes get added.
I'm looking for a solution and thought I might just switch to a x86 based setup. But it looks like it might have the same problem.
I don't understand why something so fundamental to monitoring network traffic would be left out. Is it a memory issue?
Perhaps there is a better way to go about monitoring traffic to and from a device on the network. I'm open to any suggestions.
Please, if anyone knows how I can get a version with the tee extension for iptables going, please let me know.
I wonder if I can uninstall iptables from my router and install the latest version.
I had some degree of success with the link below, but have since then cleared out to a new DDWRT firmware, and haven't tried again. However, I am now _again_ looking for port mirroring, and I still wonder why ddwrt is stuck at iptables 1.3.7. I am guessing bumping it up to 1.4.9 (at which the TEE module is supported).
I hava an old ASUS RT-N16(mega rev 16773M) and it seems iptables -t mangle -I PREROUTING -s 192.168.1.249 -j ROUTE --tee --gw 192.168.1.2
is working and can be write into iptables
and the iptables is 1.3.7
but my ea6500 and ea6700 has no luck.
not sure if this feature is removed from source codes
Posted: Mon Aug 22, 2016 6:22 Post subject: iptables mirroring
I have seen this iptables example in several places:
iptables -A PREROUTING -t mangle -j ROUTE --gw 10.0.0.21 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 10.0.0.21 --tee
I tried it on a wrt54g router with r14929. The mirroring works, however, when I checked the traffic flow with wireshark, I am getting twice the traffic that I expect. I verified this using a hub to mirror traffic.
I am a novice with iptables - please correct my understanding... I think this duplication is because no interface or source/destination addresses are specified in the iptables commands. Effectively both PRE/POSTROUTING entries are being applied to each packet since each packet matches all conditions. Other similar posts in the forum include both PREROUTING and POSTROUTING, but they also specify source and destination addresses. This captures only traffic to a particular device. In such a case you would want both PRE/POSTROUTING entries to capture flows to/from that device.
So it seems to me that to capture all traffic, either the interface should be specified, or only one of the PREROUTING or POSTROUTING entries should be included. Just using the PREOUTING entry seems the simplest. Am I missing something?
Joined: 06 Jun 2006 Posts: 7492 Location: Dresden, Germany
Posted: Thu Sep 01, 2016 8:54 Post subject:
TEE is supported as well, the problem is just that i do not include all modules required for it. normally just modules are included which are used by dd-wrt itself. but however. on x86/x64 i may include everything since there is enough space for it. gimme some days for it _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
TEE is supported as well, the problem is just that i do not include all modules required for it. normally just modules are included which are used by dd-wrt itself. but however. on x86/x64 i may include everything since there is enough space for it. gimme some days for it
Any chance of getting the TEE module in a current version of DD-WRT x86?
Any chance this could be changed to include this by default? I've switched from my OEM firmware to dd-wrt to use mirroring (so I can use BriarIDS for network monitoring).
Rebuilding releases with this enabled is going to be a big hassle.....
Any chance this could be changed to include this by default? I've switched from my OEM firmware to dd-wrt to use mirroring (so I can use BriarIDS for network monitoring).
Rebuilding releases with this enabled is going to be a big hassle.....