Mirror all traffic from one port to another on localhost using iptables
It seems that there are some misunderstanding :
I need to mirror all packets from port 162
your rule should include --sport 162
or --dport 162
if you meant "all packets arriving to port 162"
--to-destination 0.0.0.0:1162
In fact 0.0.0.0
does not match the localhost. You should use 127.0.0.1
instead.
Finally you can try for TCP traffic:
iptables -t mangle -A PREROUTING -p TCP --dport 162 -j TEE --gateway 127.0.0.2
iptables -t nat -A PREROUTING -d 127.0.0.2 -p TCP --dport 162 -j DNAT --to 127.0.0.1:1162
The first rule copies the traffic to localhost 127.0.0.2:162. The second rule forwards traffic from 127.0.0.2:162 to 127.0.0.1:1162.
Please note that as traditional port forwarding which apply to POSTROUTING chain, the second rule applies to PREROUTING. This is because we deals with localhost addresses so that POSTROUTING chain of nat table is not crossed by packet.
An for UDP traffic:
iptables -t mangle -A PREROUTING -p UDP --dport 162 -j TEE --gateway 127.0.0.2
iptables -t nat -A PREROUTING -d 127.0.0.2 -p UDP --dport 162 -j DNAT --to 127.0.0.1:1162
Related videos on Youtube
Neci
Updated on September 18, 2022Comments
-
Neci over 1 year
i need to mirror all packets from port 162 to another (for example 1162) on localhost.
I know that TEE can mirror packets but to some ip address.
Maybe it is possible in one rule change also destination port, but i can't find working solution.
Something like that:
iptables -t mangle -A PREROUTING -d 0.0.0.0:162 -j TEE --to-destination 0.0.0.0:1162
But from manual: Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
Thanks for any hint.
OS:RedHat 6.9
-
Burgi over 6 yearsWhat have you tried? What OS are you using? Please take our tour and see How to Ask.
-
Neci almost 5 yearsFinally i use github.com/sleinen/samplicator for such activity
-
Burgi over 4 yearsYou should write an answer explaining how you solved it.
-
-
Neci over 6 yearsOuch looks like redhat 6.9 with version 1.4.7 doesn't have TEE functionality, we don't have module in kernel for that also.
-
vera over 6 yearsStrange, you mentioned TEE in your question and the error looks like a TEE ` --gateway` input error (ipset.netfilter.org/iptables-extensions.man.html#lbDW).
-
QuickPrototype about 5 yearsWhen testing this on UDP, It appears that the destination IP of the packet is not altered by the TEE rule thereby nullifying the nat rule.
-
Charles Boling about 4 yearsIn my test (4.15 kernel), using TEE in PREROUTING causes no change in the packet (source or destination) and thus when you specify any localhost address as the gateway, creates a feedback loop (50Gbps on my machine)
-
user39049 over 3 yearsWell, this is a very interesting topic. I too had to fan-out SNMPTRAP data and reuse the original collector's IP, while keep forwarding the data to the original collector (that runs Solaris 9). I'm using this as a match in mangle: -A PREROUTING -i ens192 -p udp -m udp --dport 162 -j TEE --gateway 127.0.0.2 and this in nat: -A PREROUTING -p udp -m udp --dport 162 -j DNAT --to 10.0.250.53, and it works (not sure how, though)... (Centos8, kernel 4.18)