[ger/eng] iptables "clone" packets for logging

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
zeroXcool
DD-WRT Novice


Joined: 15 Jan 2007
Posts: 5

PostPosted: Fri Mar 27, 2009 10:02    Post subject: [ger/eng] iptables "clone" packets for logging Reply with quote
[ger]
Hi,
ich bin neu auf dem Gebiet IPTables und hoffe jmd. hier kann mir helfen.
Ich habe "DD-WRT v23 sp1" auf meinem LinkSys Router laufen und möchte den Traffic der von meinen Clients über Port 5190 geht analysieren.
Ich weiß nicht genau ob IPTables mit weiterhelfen kann aber ich stelle mir folgendes vor:
Alle Pakete die über diesen Port, von meinem Router ins Internet geschickt werden, sollen als "kopie" an meinen Server (im Lan) weitergereicht werden da dieser die Pakete mit hilfe von PCAP analysieren soll.
Dafür müsste also eine "kopie" des Pakets erstellt werden und die Destination-IP von meinem Server bekommen und dann geroutet werden, wenn ich das richtig verstehe.
Natürlich sollen auch alle eingehenden Pakete auf dem Port an meinem Server weitergereicht werden.

Kann mir da jmd. helfen oder evtl. erklären ob das mit IPTables überhaupt möglich ist ?
Weitere Infos stelle ich natürlich gerne zur verfügung ;)

schonmal danke im vorraus Wink
lg z.c


[eng]
Hi,
i'am new to IPTables and hope someone can help me.
I have "DD-WRT v23 sp1" on my LinkSys Router and want to analyse the Traffic thats going over Port 5190.
I don't know if IPTables is the right thing to use but, I think it has to work like this:
All Pakets that are send to the Internet over this Port have to be "copied" and send to my Server (in the Lan) so that he can analyse them with PCAP.
Therefor the Paket has to be "copied" and the Destination-IP (of the "copied" Paket) has to be modified to the one of my Server. If I got that right Wink
Of course the incoming Pakets (from the Internet) have to be "copied to my Server" as well.

So I hope someone could help me or at last tell me if this is possible with IPTables.
If someone needs some additional Information, just ask ;)

thx for help
greetz z.c
Sponsor
mtca
DD-WRT Novice


Joined: 13 Jul 2007
Posts: 48
Location: Martinez, CA

PostPosted: Fri Mar 27, 2009 14:26    Post subject: Reply with quote
Hi,

I'm not sure about using iptables for this, but may want to consider tcpdump. I used it successfully with V23 SP1 some time ago.

You'll need external storage for the output and for installing tcpdump. The fastest approach may be to use dd-wrt's Samba client to mount a remote share. Next install the tcpdump package. If the standard ipkg doesn't work try installing the Optware version.

Once tcpdump is successfully installed you should be able to capture packets from any interface on the router.

Have fun!
zeroXcool
DD-WRT Novice


Joined: 15 Jan 2007
Posts: 5

PostPosted: Fri Mar 27, 2009 14:55    Post subject: Reply with quote
Thanks for this Hint Wink I've allready installed TCPDump Wink It works great but the Skript for analysing the Pakets is written in perl and I don't think I can run this complex Skript on DD-WRT because it has too many dependencies and needs too much CPU....

So I need a way to redirect all the Traffic to my Server, this way I can analyse the Pakets in realtime insted of using TCPDump on DD-WRT to Dump Packets into a File and then analyse the File with the Skript on my Server....

I've tried to pipe the TCPDump Raw-Packets trough SSH to the Skript on my Server but it didn't work well. So I need another solution Wink
By the Way, here is the Link to a Thread on LinuxQuestions for redirecting TCPDump trough SSH:
http://www.linuxquestions.org/questions/showthread.php?t=709354
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Mar 27, 2009 16:48    Post subject: Reply with quote
Here's a basic iptables rule to do it. If you have a vlan capable router (most are) then you should change the interfaces to some separated vlans. Also, since it's done with iptables this won't catch bridge traffic, only IP traffic will get copied.

iptables -t mangle -I FORWARD -s br0 -j ROUTE --oif br0 --tee
iptables -t mangle -I FORWARD -d br0 -j ROUTE --oif br0 --tee
iptables -t mangle -I INPUT -s br0 -j ROUTE --oif br0 --tee
iptables -t mangle -I OUTPUT -d br0 -j ROUTE --oif br0 --tee
zeroXcool
DD-WRT Novice


Joined: 15 Jan 2007
Posts: 5

PostPosted: Fri Mar 27, 2009 18:58    Post subject: Reply with quote
thank you ever much, every one Wink
specialy the one with the answer ;)

I've alsow got it working my self, so for everyone who could need it too:

Set the Route:
iptables -A PREROUTING -t mangle -p tcp --dport <port> -j ROUTE --gw <ip-to-"copy"-to> --tee
iptables -A POSTROUTING -t mangle -p tcp --sport <port> -j ROUTE --gw <ip-to-"copy"-to> --tee

Delete the Route again (# is the Num, starting at 1):
iptables -t mangle -D PREROUTING #
iptables -t mangle -D POSTROUTING #

List the Routes (to get the Num, to for delete):
iptables -t mangle -L PREROUTING
iptables -t mangle -L POSTROUTING
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum