* Clone a packet - iptables
@ 2006-04-10 14:29 Piotr Szczap
2006-04-11 6:46 ` Martin Klier
0 siblings, 1 reply; 5+ messages in thread
From: Piotr Szczap @ 2006-04-10 14:29 UTC (permalink / raw)
To: linux-admin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
Is it possible to 'clone' a packet using iptables?
I would like to do something like
- -A INPUT -p tcp --dport 1111 -j DNAT --to-destination host_a
- --to-destination host_b
but without the round-robin load balancing, so that the packet coming to
port 1111 is sent to host_a AND host_b.
Or perhaps it can be done with BSD's packet filter?
- --
Piotr Szczap
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEOmuyQtNF0qNPlOERAj4mAJ9oNGvHvFRIcLjOztrpA90hUQT9CgCfQEZB
Wqern5KavSpSzQcV7+y9ihA=
=79wV
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Clone a packet - iptables
2006-04-10 14:29 Clone a packet - iptables Piotr Szczap
@ 2006-04-11 6:46 ` Martin Klier
2006-04-11 9:13 ` Piotr Szczap
0 siblings, 1 reply; 5+ messages in thread
From: Martin Klier @ 2006-04-11 6:46 UTC (permalink / raw)
To: Piotr Szczap; +Cc: linux-admin
[-- Attachment #1: Type: text/plain, Size: 900 bytes --]
Hi,
Am Montag 10 April 2006 16:29 schrieb Piotr Szczap:
> Hello,
> Is it possible to 'clone' a packet using iptables?
> I would like to do something like
> -A INPUT -p tcp --dport 1111 -j DNAT --to-destination host_a
> --to-destination host_b
> but without the round-robin load balancing, so that the packet coming to
> port 1111 is sent to host_a AND host_b.
>
> Or perhaps it can be done with BSD's packet filter?
I bet Linux' netfilter can't do this. Think about your tcp connection's
partner: it will receive ACK flags from two processes on the destination
machine. Your tcp connection won't survive for long.
Kind regards,
--
Mit freundlichen Grüßen
i.A. Martin Klier
Systemadministration / Datenbanken
-----------------------------------------------------------------
A.T.U Auto-Teile-Unger
Handels GmbH & Co. KG
Dr.-Kilian-Straße 4
D-92637 Weiden i. d. OPf.
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Clone a packet - iptables
2006-04-11 6:46 ` Martin Klier
@ 2006-04-11 9:13 ` Piotr Szczap
2006-04-11 11:56 ` Tom Callahan
2006-04-19 13:45 ` Andy Davidson
0 siblings, 2 replies; 5+ messages in thread
From: Piotr Szczap @ 2006-04-11 9:13 UTC (permalink / raw)
To: linux-admin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Klier wrote:
>
> I bet Linux' netfilter can't do this. Think about your tcp connection's
> partner: it will receive ACK flags from two processes on the destination
> machine. Your tcp connection won't survive for long.
You're right ofcourse but I made a mistake in my question:
I want to clone UDP not TCP. Does this change anything?
Regards,
Piotr Szczap
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEO3MzQtNF0qNPlOERAqsUAJ99eZ/kkVRPgDrjmHg/wea2+EF0DwCfZAAC
/0bDZzqmNLIM577ZMXglmtk=
=R/iQ
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Clone a packet - iptables
2006-04-11 9:13 ` Piotr Szczap
@ 2006-04-11 11:56 ` Tom Callahan
2006-04-19 13:45 ` Andy Davidson
1 sibling, 0 replies; 5+ messages in thread
From: Tom Callahan @ 2006-04-11 11:56 UTC (permalink / raw)
To: Piotr Szczap; +Cc: linux-admin
If I remember correctly.....won't the sequence numbers be out of whack
due to multiple transactions? Would this result in corrupted data? Or a
dropped connection?
Tom Callahan
TESSCO Technologies
Desk: (410)-229-1361
Cell: (410)-588-7605
Email: callahant@tessco.com
A real engineer only resorts to documentation when the keyboard dents on the forehead get too noticeable.
Piotr Szczap wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Martin Klier wrote:
>
>
>>I bet Linux' netfilter can't do this. Think about your tcp
>>
>>
>connection's
>
>
>>partner: it will receive ACK flags from two processes on the
>>
>>
>destination
>
>
>>machine. Your tcp connection won't survive for long.
>>
>>
>
>You're right ofcourse but I made a mistake in my question:
>I want to clone UDP not TCP. Does this change anything?
>
>
>Regards,
>Piotr Szczap
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.7 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFEO3MzQtNF0qNPlOERAqsUAJ99eZ/kkVRPgDrjmHg/wea2+EF0DwCfZAAC
>/0bDZzqmNLIM577ZMXglmtk=
>=R/iQ
>-----END PGP SIGNATURE-----
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin"
>in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Clone a packet - iptables
2006-04-11 9:13 ` Piotr Szczap
2006-04-11 11:56 ` Tom Callahan
@ 2006-04-19 13:45 ` Andy Davidson
1 sibling, 0 replies; 5+ messages in thread
From: Andy Davidson @ 2006-04-19 13:45 UTC (permalink / raw)
To: Piotr Szczap; +Cc: linux-admin
Piotr Szczap wrote:
> You're right ofcourse but I made a mistake in my question:
> I want to clone UDP not TCP. Does this change anything?
If you are wanting this for monitoring/debugging/IDS, etc. you are much
better off with a monitoring port on your switch..
cheers
-a
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-04-19 13:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-10 14:29 Clone a packet - iptables Piotr Szczap
2006-04-11 6:46 ` Martin Klier
2006-04-11 9:13 ` Piotr Szczap
2006-04-11 11:56 ` Tom Callahan
2006-04-19 13:45 ` Andy Davidson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).