Mirroring traffic with iptables TEE target

Mirroring traffic with iptables TEE target

[Aaron Lewis]

Hi,

I tried to mirror TCP traffic with mangle chain, 

that all packets sent to 192.168.56.2 would be copied to 192.168.56.1,

# On 192.168.56.2 I executed,
iptables -A PREROUTING -p tcp --dport 80 -j TEE --gateway 192.168.56.1

But on 192.168.56.1 no traffic to port 80 was seen

Anything wrong?

-- 
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

Re: Mirroring traffic with iptables TEE target

[Jan Engelhardt]

On Sunday 2012-12-30 10:10, Aaron Lewis wrote:

>Hi,
>
>I tried to mirror TCP traffic with mangle chain, 
>
>that all packets sent to 192.168.56.2 would be copied to 192.168.56.1,
>
># On 192.168.56.2 I executed,
>iptables -A PREROUTING -p tcp --dport 80 -j TEE --gateway 192.168.56.1
>
>But on 192.168.56.1 no traffic to port 80 was seen

Check with tcpdump on 192.168.56.1.
(And make sure you do not block outgoing packets on 56.2.)

Re: Mirroring traffic with iptables TEE target

[Jan Engelhardt]

On Sunday 2012-12-30 13:13, Aaron Lewis wrote:

>Hi Jan
>I tried to duplicate UDP packets and that works!
>
>So I guess you can't mirror TCP traffics, since it's connection oriented, am
>I right?

Mirroring does not discriminate against protocol. People successfully 
use it for logging, and I am sure they have TCP as well.

Re: Mirroring traffic with iptables TEE target

[Aaron Lewis]

Hi Jan,

How should the debugging process began?

In wireshark I see no traffic between the two hosts ...

On Host A (That accept the duplicate, IP: 192.168.56.178):
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.56.178:80

On Host B (The duplicate & forward the connection, IP 192.168.56.39):
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TEE
--gateway 192.168.56.178

And I start nc on both machine,  nc -l 80

Then finally on my machine, I connect to Host B and type come text, it
works on Host B, but no traffic between A & B (vboxnet0 interface),
and direct connection from Host B to Host A works

On Sun, Dec 30, 2012 at 8:19 PM, Jan Engelhardt <jengelh@inai.de> wrote:
>
> On Sunday 2012-12-30 13:13, Aaron Lewis wrote:
>
> >Hi Jan
> >I tried to duplicate UDP packets and that works!
> >
> >So I guess you can't mirror TCP traffics, since it's connection oriented,
> > am
> >I right?
>
> Mirroring does not discriminate against protocol. People successfully
> use it for logging, and I am sure they have TCP as well.




--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

Re: Mirroring traffic with iptables TEE target

[Jan Engelhardt]

On Sunday 2012-12-30 13:54, Aaron Lewis wrote:

>Hi Jan,
>
>How should the debugging process began?
>
>In wireshark I see no traffic between the two hosts ...

That would mean that there is a problem with the duplication, but which 
seems unlikely because UDP is transmitted.

I do this

 iptables -A OUTPUT -o eth0 -j TEE --gateway 10.10.7.128

and the '128 machine gets all the packets, including TCP. I can verify 
that with both tcpdump on the emitter as well as the receiver side.

>On Host A (That accept the duplicate, IP: 192.168.56.178):
>iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
>--to-destination 192.168.56.178:80

Ugh-ly.
Also pretty much pointless because, as you noticed, there is not a whole 
lot to do with half a TCP stream.


>> >So I guess you can't mirror TCP traffics, since it's connection oriented,
>> > am
>> >I right?

Re: Mirroring traffic with iptables TEE target

[Pablo Neira Ayuso]

On Sun, Dec 30, 2012 at 05:10:48PM +0800, Aaron Lewis wrote:
> Hi,
> 
> I tried to mirror TCP traffic with mangle chain, 
> 
> that all packets sent to 192.168.56.2 would be copied to 192.168.56.1,
> 
> # On 192.168.56.2 I executed,
> iptables -A PREROUTING -p tcp --dport 80 -j TEE --gateway 192.168.56.1
> 
> But on 192.168.56.1 no traffic to port 80 was seen
> 
> Anything wrong?

There was a bug in the 3.6 series that broke TEE, but that is fixed in
-stable. What kernel are you using?