iptables port-mirroring

linux iptables tcp
21,959

Solution 1

Further to Caleb's answer, if you are working with newer iptables (v1.4.14) that no longer has the ROUTE target you will need something like the following, tested on Debian Wheezy*:

iptables -A PREROUTING -t mangle -p tcp ! -s 127.0.0.1 --dport 8001 -j TEE --gateway 127.0.0.1
iptables -A OUTPUT -t nat -p tcp -s 127.0.0.1/32 --dport 8001 -j DNAT --to 127.0.0.1:8002

Test using "netcat" (man nc). In a terminal window type to following and press the Enter key:

nc -l 8002

The command will wait for input that you will type in a second terminal window.

In s second terminal window type the following and press the Enter key:

nc 127.0.0.1 8001

The command will wait for further input. Type anything and press the Enter key. After you press the Enter key in the second terminal window, the text that you typed in the second terminal window should appear in the first terminal window. PressCtrl-c in the second window to end the session.

*This syntax is not supported in RHEL/Centos (6.5 or earlier) :-( so you need to use socat to tee and forward incoming packets on the original port to two new ports. If you had processes listening on the original receiving port then you need to reconfigure them to listen on one of the tee'd ports as socat is now the listener on the original port. See this SE post for example socat syntax for port cloning.

Solution 2

The --tee flag is not part of the DNAT chain, it is part of ROUTE. You can only use it following a declaration of -j ROUTE. You can get specific help from iptables on the subject like this:

 $ iptables -j ROUTE help

I was looking at your iptables command, and it doesn't make any sense to me. Why are you trying to match against the source and source port of a packet when in your question you said "packegs received on port"? Are you trying to split incoming traffic to hit two ports or take the output of one port and tie it to the input of another?

If the former, there are really two steps. You can't use tee to get a copy of the packet AND mangle the packet to change the port numbers at the same time. You might try this in two steps, first sending yourself a duplicate copy of the packet, then matching the copy only and mangling the destination port. WARNING: untested, consider this pseudo-code:

$ sudo iptables -A PREROUTING -t mangle -p tcp -s !127.0.0.1/32 --dport 8001 -j ROUTE --gw 127.0.0.1 --tee
$ sudo iptables -A POSTROUTING -t nat -p tcp -s 127.0.0.1/32 --dport 8001 -j DNAT --to 127.0.0.1:8002
Share:
21,959

Related videos on Youtube

Parikshit
Author by

Parikshit

Updated on September 18, 2022

Comments

  • Parikshit
    Parikshit over 1 year

    I need to be able to get a copy of packets received on port 8001 to port 8002. I have tried the following but I get an error that --tee is undefined.

    sudo iptables -t nat -A PREROUTING -p TCP -s 127.0.0.1 --sport 8001 -j DNAT --to-destination 127.0.0.1:8002 --tee
  • tcoolspy
    tcoolspy about 12 years
    Warning...another site visitor has noted that a similar version of this actually results in an infinite loop! You probably need to figure out how to tag the duplicated packet in the same action, then match on the tag.
  • daisy
    daisy over 11 years
    ROUTE seems obsoleted, right?
  • Aki
    Aki over 10 years
    It'just a typo, 172.0.0.1 -> 127.0.0.1.
  • Jonathan Ben-Avraham
    Jonathan Ben-Avraham over 9 years
    N.B. to SE readers: The ROUTE target used in the above answer is obsolete as of this writing and not available in iptables on most recent distros. See serverfault.com/questions/333155/…
  • Marcelo Lacerda
    Marcelo Lacerda almost 6 years
    For some reason on debian you need to specify the port explicitly with netcat nc -l -p 8002
  • hanzo2001
    hanzo2001 almost 4 years
    I've been trying to replicate this solution on my Mint 19 Tessa to no avail. I found out that some packages just bounce inside and only one of the two ports receives the package. If I make the mistake of adding logging to try to troubleshoot a rule, the logs (kernel, syslog, journal) quickly eat up my storage.
  • hanzo2001
    hanzo2001 almost 4 years
    I also do not understand why the DNAT is set on the OUTPUT chain. Isn't the package already leaving my process to the outside world? or do loopback addresses behave differently?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to make all outgoing RST drop
iptables port forwarding
Drop TCP packets and prevent TCP retransmission
How to formulate IP forwarding rule using iptables
How to reset a tcp connection immediately on both ends on a certain condition using linux netfilter/iptables?
Unexpectedly shrunk window
How to configure iptables so an unwanted port is not reported as filtered
How to fix “iptables: No chain/target/match by that name”?
Executing script on receiving incoming connection with xinetd
what is the command in linux to kill tcp connection or session?