I have a dedicated Linux (Debian 7.5) root server, with a number of guests set up. The guests are KVM instances, and get network access via bridge-utils (NAT, internal IPs, use the host as a gateway).
E.g. one KVM is my WebServer guest, and it gets accessible via the host IP this way:
iptables -t nat -I PREROUTING -p tcp -d 148.251.Y.Z
--dport 80 -j DNAT --to-destination 192.168.100.X:80
I do the same with other services, keeping them self-contained, NATed and isolated.
But one guest is supposed to be a network monitor, and shall perform network traffic inspection (like an IDS). Usually, in a non virtual setup I would use VACLs or SPAN ports to mirror the traffic. Of course, inside this one host, I cannot do this (easily, because I don't want to use complex virtual switching approaches).
- Can I get a port mirror using iptables, and redirect all ingress and egress traffic to one KVM guest? All guests have a dedicated interface, like
vnet1
. - Is it possible to selectively forward traffic, based on the protocol (like a VACL forward rule, which only grabs HTTP)?
- do the guests need a specific interface setup, when I need to keep
vnet1
as a management interface (with an IP)?
I would be happy for a point into the right direction:
iptables 1.4.14-3.1
linux 3.2.55
bridge-utils 1.5-6
Thanks a lot :)
Answer
what about prepending the root server pre-Routing module Mangle table rules by something like:
iptables -I PREROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee
and then prepending the post-Routing module Mangle table rules by something like
iptables -I POSTROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee
where 192.168.200.1 is the network monitor.
These rules will mirror all the incoming and outcoming traffic forwarding it to 192.168.200.1
edit:
mangle table specific
-j ROUTE (explicitly route packets, valid at PREROUTING)
options:
--iface
--ifindex
but you could also use use something like
iptables -I PREROUTING –t mangle –i eth0 –j TEE –gateway 192.168.200.1
and
iptables -I POSTROUTING –t mangle –j TEE –gateway 192.168.200.1
where TEE
now is a target which at PREROUTING
takes more options like i.e. -i
, -p
, etc
No comments:
Post a Comment