Posted: Tue Jun 29, 2010 22:44 Post subject: Re: iptables --tee does not work with my router/fw
hajjar wrote:
Linksys WRT54G2 v1
DD-WRT v24-sp2 (12/28/09) micro - build 13525
[...]
Is iptables --tee supported in this fw version?
The ROUTE target is not included in any micro builds due to their extremely limited flash space. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Run the same commands with -D to delete them instead of -A or -I which append/insert them. Or if you put the commands in your firewall script then just remove them from the firewall script. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
This commands will make a copy of network traffic that have source and destination 192.168.1.100 and will send it to 192.168.1.101. On 192.168.1.101 can be run wireshark in order to sniff the traffic made by 192.168.1.100.
You can use:
iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101
for copying all network traffic and sending it to 192.168.1.101, but i don't recommend it. You router will run slower. You should send only what you want to sniff.
A while a go I bought a D-Link DIR-615 that came flashed with DD-WRT v24-sp2 (04/23/10) std. I am trying at the moment to setup port mirroring/network tap via IPTABLES on the AP which is not working as suggested above.
I think I may need the firmware updating however i'm not sure what chipset or whatever I have eg Broadcom? and as DD-WRT is already on my AP can I user the web GUI to point to a file to upgrade the firmware?
The router DB and supported devices wiki page will both tell you what chipset your router has. You should run the command in the OP to check if the commands are being applied though. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
This commands will make a copy of network traffic that have source and destination 192.168.1.100 and will send it to 192.168.1.101. On 192.168.1.101 can be run wireshark in order to sniff the traffic made by 192.168.1.100.
You can use:
iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101
for copying all network traffic and sending it to 192.168.1.101, but i don't recommend it. You router will run slower. You should send only what you want to sniff.
I am trying to port mirror all WIFI traffic (ath0) to a PC running wireshark but it seems the IPTables commands are not modifying the mangle table. I've tried so many combinations but without any luck. I can enter the commands as above but nothing happens. I've also tried:
I too have been searching and experimentating with port mirroring using iptables and with ip addresses it works. But have been unsuccessful to mirror interfaces. The whole point of using mirroring is to be transparent to the network and not changing/adding to the destination address on the data flow going to the mirror port.
I picked a cheap Netgear GS108E 8-port switch with vlan and port mirroring support and it does "true" port mirroring with no need to set a destination IP address.
When I try these two commands I do not get any data going to the interface I wish to sniff traffic on.
iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.10 -tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.10 -tee
If I perform the above commands then run
iptables -t mangle -vnL
i get the following output
Chain PREROUTING (policy ACCEPT 23339 packets, 10M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1153K packets, 89M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 31M packets, 27G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4907 packets, 514K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 31M packets, 27G bytes)
pkts bytes target prot opt in out source destination
If I delete the above commands with -D I still get the same output from
iptables -t mangle -vnL
Only the ACCEPT packets and bytes counter increase in Chain PREROUTING and Chain INPUT.
Is port mirroring or more accurately packet copying no longer supported? I see folks trying it and it not working. Of course some of that is due to their router hardware or version of dd-wrt. I would think mine would work as dd-wrt and Buffalo are working together to provide dd-wrt on the router as an OEM feature.
This is a case for you real guru's.
1. How do I make this work?
and
2. How do I know I have deleted any rules I put in and do not want?
I know how to list iptables and do not see anything that stands out.
Different builds have different iptables modules and it appears that your build is missing the ROUTE target module. Try a recent build for your model and see if it has been included, if not then ask for it on trac. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Thank you phuzi0n - That makes perfect sense. I should of thought of that, but that is why you are the Guru.
After doing more research, I keep coming across forwarding all traffic on the router to one port may slow down the router/switch.
So, I'm thinking of getting another switch that does port spanning. I like how the Buffalo Router and dd-wrt perform and don't want to take away from what I see as a feature and performance gain over my old rig.
I will still update the firmware to a more recent build, and test port mirroring/packet forwarding just to test the feature out. I spent the time to build a snortids, might as well test it.
Any thoughts on the subject of port spanning/packet forwarding slowing down some routers?