monitoring network question

Linux Netfilter discussions
 help / color / mirror / Atom feed

* monitoring network question
@ 2008-11-12 13:57 Leonardo Rodrigues Magalhães
  2008-11-12 22:36 ` Grant Taylor
  0 siblings, 1 reply; 2+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2008-11-12 13:57 UTC (permalink / raw)
  To: ML netfilter


    Hello Guys,

    i'm trying to setup a box and i'd like to present my ideas and, 
luckly, got some as well :)

    im setting up a small linux box with 2 NICs working as a bridge. 
That's OK, no problem on that. Maybe the interesting point is that it's 
a Routerboard 450 with OpenWRT, so i dont have the same flexibility of a 
full linux box. But the bridge part is working just fine, i have frames 
flowing through interfaces.

    So, at the exact moment, i can use this box to monitor some network 
segment and see, on the box, tcpdump for example, everything that passes 
from one ethernet to another with no logical changes to the network. No 
need of IP changing, no need on routing changing. Of course it has an ip 
address, but that's just for management.

    next step would be, with this box, export netflow traffic so i could 
analyse it better on any netflow collector/analyzer software, which 
would give me a MUUUCH better network analyzis than simple iptraf that 
i'm actually using.

    the problems .....

    i cannot use normal iptables -j ULOG rules, because there's no IP 
traffic flowing on the box. Traffic flowing are ethernet frames on the 
bridge.

    i have tried ebtables with ulog as well:

ebtables -A FORWARD --ulog -j CONTINUE

    and then fprobe-ulog to export packets, configuration with works 
just fine with iptables ULOG, but didnt worked with ebtables ulog. Maybe 
i'm missing some ebtables rule or different target than ulog ..... this 
is the first time i've used ebtables anyway.

    but .... i got a third idea on how to accomplish that. My idea, with 
this box, is to put it right in front the firewall (yes, with proper 
authorization, nothing illegal here), so i would have the whole network 
in one side of the bridge and the firewall on the other side of the 
bridge. In other words ..... several MACs which i dont know which would 
be on one side, and just a single MAC, known one, on the other side of 
the bridge.

    based on this, i tought on doing some arpspoof thing, having this 
box to fake arp replies to the firewall MAC address and sending it's own 
and then forwarding the frames to the real firewall.

    i dont know how to do this and dont know neither if this setup would 
help me acchieving what i need.

    well .... i would like to hear some ideas on how to acchieve my 
goals. Can anyone help me on this scenario ?

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it






^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: monitoring network question
  2008-11-12 13:57 monitoring network question Leonardo Rodrigues Magalhães
@ 2008-11-12 22:36 ` Grant Taylor
  0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2008-11-12 22:36 UTC (permalink / raw)
  To: Mail List - Netfilter

On 11/12/08 07:57, Leonardo Rodrigues Magalhães wrote:
> i cannot use normal iptables -j ULOG rules, because there's no IP 
> traffic flowing on the box. Traffic flowing are ethernet frames on the 
> bridge.
> 
> i have tried ebtables with ulog as well:
> 
> ebtables -A FORWARD --ulog -j CONTINUE
> 
> and then fprobe-ulog to export packets, configuration with works just 
> fine with iptables ULOG, but didnt worked with ebtables ulog. Maybe i'm 
> missing some ebtables rule or different target than ulog ..... this is 
> the first time i've used ebtables anyway.

Have you considered enabling "Bridged NetFilter" (a.k.a. bridge-nf and 
brnf)?  That should allow IPTables to see the bridged ethernet frames. 
If IPTables can see the frames, you should be able to do what you are 
accustom to doing.  At least I think.

> but .... i got a third idea on how to accomplish that. My idea, with 
> this box, is to put it right in front the firewall (yes, with proper 
> authorization, nothing illegal here), so i would have the whole network 
> in one side of the bridge and the firewall on the other side of the 
> bridge. In other words ..... several MACs which i dont know which would 
> be on one side, and just a single MAC, known one, on the other side of 
> the bridge.
> 
> based on this, i tought on doing some arpspoof thing, having this box 
> to fake arp replies to the firewall MAC address and sending it's own and 
> then forwarding the frames to the real firewall.

Yuck.

IMHO this is in effect a poor mans form of Proxy ARP(ing), which is a 
very poor substitute for bridging.

> i dont know how to do this and dont know neither if this setup would 
> help me acchieving what i need.

I don't think it would.

Either you will be passing ethernet frames with out them passing through 
the higher IP stack, or you will be doing routing which will require 
modifying your network structure or some (IMHO very nasty) hacks with 
policy based routing.

> well .... i would like to hear some ideas on how to acchieve my 
> goals. Can anyone help me on this scenario ?

Take a look at bridged netfilter and see if it will do what you are 
wanting to do.



Grant. . . .

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-11-12 22:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-12 13:57 monitoring network question Leonardo Rodrigues Magalhães
2008-11-12 22:36 ` Grant Taylor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox