duplicating packets to other interface

duplicating packets to other interface

[zhuupa]

hello,

maybe my question sounds stupid to you but i've tried googling around
and couldn't find any valuable results. so, situation is here:

internet == [:eth0 router eth1:] == ids sensor (192.168.0.0/16)
            [             eth2:] == clients (10.0.0.0/8) 

so far it's a router which routes (nat) packets between external network
and clients. i added ids sensor to eth1 interface and would like incoming
packets on eth0 interface to be duplicated to eth1 so that ids sees them.

the question is - how can i do that? i haven't messed with iptables much,
and our network administraitor says it's not possible with iptables.
i don't believe him, however ;>

on openbsd packet filter it would look like this:
pass in on $ext_if dup-to $ids_if all

i believe it's as simple on iptables.

thanks in advance,
peter.

---------------------------------------------------------------------
Radical ringtones, java games, mobile phone logos, backgrounds http://sms.BANDA.LV !

Re: duplicating packets to other interface

[Jason Opperisano]

On Sun, 2004-12-12 at 20:06, zhuupa@banda.lv wrote:
> hello,
> 
> maybe my question sounds stupid to you but i've tried googling around
> and couldn't find any valuable results. so, situation is here:
> 
> internet == [:eth0 router eth1:] == ids sensor (192.168.0.0/16)
>             [             eth2:] == clients (10.0.0.0/8) 
> 
> so far it's a router which routes (nat) packets between external network
> and clients. i added ids sensor to eth1 interface and would like incoming
> packets on eth0 interface to be duplicated to eth1 so that ids sees them.
> 
> the question is - how can i do that? i haven't messed with iptables much,
> and our network administraitor says it's not possible with iptables.
> i don't believe him, however ;>
> 
> on openbsd packet filter it would look like this:
> pass in on $ext_if dup-to $ids_if all

ah--the beautiful simplicity of OpenBSD's pf...alas--this is a different
list...

> i believe it's as simple on iptables.

heh--you'd think that.

one possible packet-filter-independent solution would be to plug eth0 of
iptables machine, the upstream router and the IDS into a switch and span
the port from the iptables machine to the port of the IDS' promiscuous
sniffing interface.  this could also be done with a dumb hub and no
spanning...

i know this isn't actually an answer to your question, but it sorta
accomplishes the task at hand.

-j

--
"To alcohol: the cause of, and solution to, all of life's problems."
	--The Simpsons

Re: duplicating packets to other interface

[Philip Craig]

zhuupa@banda.lv wrote:
> internet == [:eth0 router eth1:] == ids sensor (192.168.0.0/16)
>             [             eth2:] == clients (10.0.0.0/8) 
> 
> so far it's a router which routes (nat) packets between external network
> and clients. i added ids sensor to eth1 interface and would like incoming
> packets on eth0 interface to be duplicated to eth1 so that ids sees them.

Get the ROUTE extension from patch-o-matic-ng and use the --tee option.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

Re: duplicating packets to other interface

[Jason Opperisano]

On Tue, 2004-12-14 at 01:43, Philip Craig wrote:
> Get the ROUTE extension from patch-o-matic-ng and use the --tee option.

wow--that was a timely question, as the addition of "--tee" to the ROUTE
target was committed to CVS:

  Modified Tue Dec 14 02:58:31 2004 UTC (10 hours, 48 minutes ago)

ask and ye shall...

-j

--
"You heard me, I won't be in for the rest of the week... I told you,
 my baby beat me up... oh it is not the worst excuse I ever thought up."
	--The Simpsons