iptables port-mirroring
Solution 1
Further to Caleb's answer, if you are working with newer iptables
(v1.4.14) that no longer has the ROUTE
target you will need something like the following, tested on Debian Wheezy*:
iptables -A PREROUTING -t mangle -p tcp ! -s 127.0.0.1 --dport 8001 -j TEE --gateway 127.0.0.1
iptables -A OUTPUT -t nat -p tcp -s 127.0.0.1/32 --dport 8001 -j DNAT --to 127.0.0.1:8002
Test using "netcat" (man nc
). In a terminal window type to following and press the Enter
key:
nc -l 8002
The command will wait for input that you will type in a second terminal window.
In s second terminal window type the following and press the Enter
key:
nc 127.0.0.1 8001
The command will wait for further input. Type anything and press the Enter
key. After you press the Enter
key in the second terminal window, the text that you typed in the second terminal window should appear in the first terminal window. PressCtrl
-c in the second window to end the session.
*This syntax is not supported in RHEL/Centos (6.5 or earlier) :-( so you need to use socat
to tee and forward incoming packets on the original port to two new ports. If you had processes listening on the original receiving port then you need to reconfigure them to listen on one of the tee'd ports as socat
is now the listener on the original port. See this SE post for example socat
syntax for port cloning.
Solution 2
The --tee
flag is not part of the DNAT chain, it is part of ROUTE. You can only use it following a declaration of -j ROUTE
. You can get specific help from iptables on the subject like this:
$ iptables -j ROUTE help
I was looking at your iptables command, and it doesn't make any sense to me. Why are you trying to match against the source and source port of a packet when in your question you said "packegs received on port"? Are you trying to split incoming traffic to hit two ports or take the output of one port and tie it to the input of another?
If the former, there are really two steps. You can't use tee to get a copy of the packet AND mangle the packet to change the port numbers at the same time. You might try this in two steps, first sending yourself a duplicate copy of the packet, then matching the copy only and mangling the destination port. WARNING: untested, consider this pseudo-code:
$ sudo iptables -A PREROUTING -t mangle -p tcp -s !127.0.0.1/32 --dport 8001 -j ROUTE --gw 127.0.0.1 --tee
$ sudo iptables -A POSTROUTING -t nat -p tcp -s 127.0.0.1/32 --dport 8001 -j DNAT --to 127.0.0.1:8002
Related videos on Youtube
Parikshit
Updated on September 18, 2022Comments
-
Parikshit over 1 year
I need to be able to get a copy of packets received on port 8001 to port 8002. I have tried the following but I get an error that --tee is undefined.
sudo iptables -t nat -A PREROUTING -p TCP -s 127.0.0.1 --sport 8001 -j DNAT --to-destination 127.0.0.1:8002 --tee
-
Gilles 'SO- stop being evil' almost 13 yearsYour kernel or
iptables
may be too old; see Send duplicate packets over two Internet connections. -
Pat about 7 yearsThis question is answered here: superuser.com/questions/753294/mirror-port-via-iptables/…
-
-
tcoolspy about 12 yearsWarning...another site visitor has noted that a similar version of this actually results in an infinite loop! You probably need to figure out how to tag the duplicated packet in the same action, then match on the tag.
-
daisy over 11 yearsROUTE seems obsoleted, right?
-
Aki over 10 yearsIt'just a typo, 172.0.0.1 -> 127.0.0.1.
-
Jonathan Ben-Avraham over 9 yearsN.B. to SE readers: The
ROUTE
target used in the above answer is obsolete as of this writing and not available in iptables on most recent distros. See serverfault.com/questions/333155/… -
Marcelo Lacerda almost 6 yearsFor some reason on debian you need to specify the port explicitly with netcat
nc -l -p 8002
-
hanzo2001 almost 4 yearsI've been trying to replicate this solution on my Mint 19 Tessa to no avail. I found out that some packages just bounce inside and only one of the two ports receives the package. If I make the mistake of adding logging to try to troubleshoot a rule, the logs (kernel, syslog, journal) quickly eat up my storage.
-
hanzo2001 almost 4 yearsI also do not understand why the DNAT is set on the OUTPUT chain. Isn't the package already leaving my process to the outside world? or do loopback addresses behave differently?