IPTABLES: process a packet locally and send a copy to another host

linux iptables routing forwarding packet
9,364

A few notes:

  • SNAT does not work the way you described it in the description, SNAT replaces the source IP, it won't change the destination IP. After a packet goes through your 2 rules, it will have:
    • source: IP_HOST_A:31090
    • destination: IP_HOST_B:32090
  • neither DNAT or SNAT targets are capable of duplicating packets

In order to duplicate packets, you can use the TEE target , cf man iptables-extensions:

TEE

   The TEE target will clone a packet and redirect this clone
   to another machine on the local network segment. In  other
   words, the nexthop must be the target, or you will have to
   configure the nexthop to forward it further if so desired.

   --gateway ipaddr
          Send the cloned packet to the host reachable at the
          given  IP  address.  Use of 0.0.0.0 (for IPv4 pack‐
          ets) or :: (IPv6) is invalid.

In your case, that would give:

iptables -t mangle -A POSTROUTING -p tcp --dport 31900 -j TEE --gateway IP_HOST_B

However, I doubt that this kind of packet copy will work well for your case, due to the fact that TCP is used. TCP is designed to establish a connection between a client and a server. Here, you would have a situation with one client and 2 servers: there will be issues.

Share:
9,364

Related videos on Youtube

Armando Contestabile
Author by

Armando Contestabile

Updated on September 18, 2022

Comments

  • Armando Contestabile
    Armando Contestabile over 1 year

    I have a trouble configuring iptables to do this: some clients send messages to a server. I want that the host server processes the messages locally (host A, as normal) but that additionally for each message (tcp packet) sends a copy of the packet to another host (host B, that runs a modified version of the server and I want see how is the behaviour with the same messages, so that I can compare both servers). It should be done with iptables. I have tried with the following commands. These send the packet to B but the message is not processed by the host A (should be done by the 2nd command?).

    iptables -t nat -A PREROUTING -p tcp --dport 31090 -j DNAT --to-destination IP_HOST_B:32090
iptables -t nat -A POSTROUTING -p tcp --dport 32090 -j SNAT --to-source IP_HOST_A:31090

    What I've missed in my configuration to accomplish my goal?

    Thank you.

  • Armando Contestabile
    Armando Contestabile almost 7 years
    Thank you for your answer. Tee works only for hosts in the same subnet. It's not my case. I'have also tried VPNning both hosts and then TEEing packets from A to B but this didn't work.
  • Gohu
    Gohu almost 7 years
    Then, maybe you could use 2 rules: a first one doing nat PREROUTING DNAT towards the distant IP_B. And a second one doing mangle POSTROUTING TEE towards the local IP_A.
  • Armando Contestabile
    Armando Contestabile almost 7 years
    Now I'm thinking about this. If hosts are in VPN and in same subnet, why did it not work? Maybe could be that: the duplicated packet when it reaches the host B has already in the header the destination ip of A (or the TEE rule changes also the ip to B?), and then it should be changed with someone prerouting rule on the host B, so that the packet is accepted on B?
  • Gohu
    Gohu almost 7 years
    You're probably going to need some network capture to better debug this (tcpdump). You could also use some Iptables logging: backreference.org/2010/06/11/iptables-debugging/

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Linux as router with multiple internet providers
What does iptables -j REDIRECT *actually* do to packet headers?
Is net.ipv6.conf.all.forwarding=1 equivalent to enabling forwarding for all individual interfaces?
iptables: what the difference between filter and mangle
How to alias an IP address to make DLNA resource accessible from different IP network
Redirect http using iptables for an ip range
Route all traffic from one interface to default gateway with different IP
Check for packets MARKed by iptables
Source Based Policy Routing & NAT (DNAT/SNAT) aka Multi WANs on CentOS 5
How forward packets from network interface to another