From: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
To: ML netfilter <netfilter@vger.kernel.org>
Subject: monitoring network question
Date: Wed, 12 Nov 2008 11:57:28 -0200 [thread overview]
Message-ID: <491AE0C8.1080705@solutti.com.br> (raw)
Hello Guys,
i'm trying to setup a box and i'd like to present my ideas and,
luckly, got some as well :)
im setting up a small linux box with 2 NICs working as a bridge.
That's OK, no problem on that. Maybe the interesting point is that it's
a Routerboard 450 with OpenWRT, so i dont have the same flexibility of a
full linux box. But the bridge part is working just fine, i have frames
flowing through interfaces.
So, at the exact moment, i can use this box to monitor some network
segment and see, on the box, tcpdump for example, everything that passes
from one ethernet to another with no logical changes to the network. No
need of IP changing, no need on routing changing. Of course it has an ip
address, but that's just for management.
next step would be, with this box, export netflow traffic so i could
analyse it better on any netflow collector/analyzer software, which
would give me a MUUUCH better network analyzis than simple iptraf that
i'm actually using.
the problems .....
i cannot use normal iptables -j ULOG rules, because there's no IP
traffic flowing on the box. Traffic flowing are ethernet frames on the
bridge.
i have tried ebtables with ulog as well:
ebtables -A FORWARD --ulog -j CONTINUE
and then fprobe-ulog to export packets, configuration with works
just fine with iptables ULOG, but didnt worked with ebtables ulog. Maybe
i'm missing some ebtables rule or different target than ulog ..... this
is the first time i've used ebtables anyway.
but .... i got a third idea on how to accomplish that. My idea, with
this box, is to put it right in front the firewall (yes, with proper
authorization, nothing illegal here), so i would have the whole network
in one side of the bridge and the firewall on the other side of the
bridge. In other words ..... several MACs which i dont know which would
be on one side, and just a single MAC, known one, on the other side of
the bridge.
based on this, i tought on doing some arpspoof thing, having this
box to fake arp replies to the firewall MAC address and sending it's own
and then forwarding the frames to the real firewall.
i dont know how to do this and dont know neither if this setup would
help me acchieving what i need.
well .... i would like to hear some ideas on how to acchieve my
goals. Can anyone help me on this scenario ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
next reply other threads:[~2008-11-12 13:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-12 13:57 Leonardo Rodrigues Magalhães [this message]
2008-11-12 22:36 ` monitoring network question Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=491AE0C8.1080705@solutti.com.br \
--to=leolistas@solutti.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox