Tuesday 23 October 2018

networking - Mirror Port via iptables


I have a dedicated Linux (Debian 7.5) root server, with a number of guests set up. The guests are KVM instances, and get network access via bridge-utils (NAT, internal IPs, use the host as a gateway).


E.g. one KVM is my WebServer guest, and it gets accessible via the host IP this way:


    iptables -t nat -I PREROUTING -p tcp -d 148.251.Y.Z 
--dport 80 -j DNAT --to-destination  192.168.100.X:80

I do the same with other services, keeping them self-contained, NATed and isolated.


But one guest is supposed to be a network monitor, and shall perform network traffic inspection (like an IDS). Usually, in a non virtual setup I would use VACLs or SPAN ports to mirror the traffic. Of course, inside this one host, I cannot do this (easily, because I don't want to use complex virtual switching approaches).



  1. Can I get a port mirror using iptables, and redirect all ingress and egress traffic to one KVM guest? All guests have a dedicated interface, like vnet1.

  2. Is it possible to selectively forward traffic, based on the protocol (like a VACL forward rule, which only grabs HTTP)?

  3. do the guests need a specific interface setup, when I need to keep vnet1 as a management interface (with an IP)?


I would be happy for a point into the right direction:


iptables         1.4.14-3.1
linux            3.2.55
bridge-utils     1.5-6

Thanks a lot :)



Answer



what about prepending the root server pre-Routing module Mangle table rules by something like:


iptables -I PREROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee

and then prepending the post-Routing module Mangle table rules by something like


iptables -I POSTROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee

where 192.168.200.1 is the network monitor.


These rules will mirror all the incoming and outcoming traffic forwarding it to 192.168.200.1


edit:


mangle table specific
  -j ROUTE            (explicitly route packets, valid at PREROUTING)
      options:
      --iface 
      --ifindex

but you could also use use something like


iptables -I PREROUTING –t mangle –i eth0 –j TEE –gateway 192.168.200.1

and


iptables -I POSTROUTING –t mangle –j TEE –gateway 192.168.200.1

where TEE now is a target which at PREROUTING takes more options like i.e. -i, -p, etc


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...