IPTABLES: process a packet locally and send a copy to another host
A few notes:
- SNAT does not work the way you described it in the description, SNAT replaces the source IP, it won't change the destination IP. After a packet goes through your 2 rules, it will have:
- source: IP_HOST_A:31090
- destination: IP_HOST_B:32090
- neither DNAT or SNAT targets are capable of duplicating packets
In order to duplicate packets, you can use the TEE target , cf man iptables-extensions
:
TEE
The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired. --gateway ipaddr Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0 (for IPv4 pack‐ ets) or :: (IPv6) is invalid.
In your case, that would give:
iptables -t mangle -A POSTROUTING -p tcp --dport 31900 -j TEE --gateway IP_HOST_B
However, I doubt that this kind of packet copy will work well for your case, due to the fact that TCP is used. TCP is designed to establish a connection between a client and a server. Here, you would have a situation with one client and 2 servers: there will be issues.
Related videos on Youtube
Armando Contestabile
Updated on September 18, 2022Comments
-
Armando Contestabile over 1 year
I have a trouble configuring iptables to do this: some clients send messages to a server. I want that the host server processes the messages locally (host A, as normal) but that additionally for each message (tcp packet) sends a copy of the packet to another host (host B, that runs a modified version of the server and I want see how is the behaviour with the same messages, so that I can compare both servers). It should be done with iptables. I have tried with the following commands. These send the packet to B but the message is not processed by the host A (should be done by the 2nd command?).
iptables -t nat -A PREROUTING -p tcp --dport 31090 -j DNAT --to-destination IP_HOST_B:32090 iptables -t nat -A POSTROUTING -p tcp --dport 32090 -j SNAT --to-source IP_HOST_A:31090
What I've missed in my configuration to accomplish my goal?
Thank you.
-
Armando Contestabile almost 7 yearsThank you for your answer. Tee works only for hosts in the same subnet. It's not my case. I'have also tried VPNning both hosts and then TEEing packets from A to B but this didn't work.
-
Gohu almost 7 yearsThen, maybe you could use 2 rules: a first one doing nat PREROUTING DNAT towards the distant IP_B. And a second one doing mangle POSTROUTING TEE towards the local IP_A.
-
Armando Contestabile almost 7 yearsNow I'm thinking about this. If hosts are in VPN and in same subnet, why did it not work? Maybe could be that: the duplicated packet when it reaches the host B has already in the header the destination ip of A (or the TEE rule changes also the ip to B?), and then it should be changed with someone prerouting rule on the host B, so that the packet is accepted on B?
-
Gohu almost 7 yearsYou're probably going to need some network capture to better debug this (tcpdump). You could also use some Iptables logging: backreference.org/2010/06/11/iptables-debugging/