View previous topic :: View next topic |
Author |
Message |
Vieri l33t
Joined: 18 Dec 2005 Posts: 888
|
Posted: Fri Sep 27, 2019 9:00 am Post subject: send all traffic between some vlan interfaces to another NIC |
|
|
Hi,
I would like to send/mirror/copy all ethernet traffic between some VLAN interfaces to just one network interface, be it physical or another vlan.
For instance, suppose I have 3 NICs with the following configuration:
Code: | enp8s5
enp8s5.1@enp8s5
enp8s5.12@enp8s5
enp5s0
enp5s0.1@enp5s0
enp5s0.11@enp5s0
enp5s0.12@enp5s0
enp5s0.13@enp5s0
enp5s0.14@enp5s0
enp5s0.15@enp5s0
enp5s0.16@enp5s0
enp10s0 |
Case 1:
I connect a monitoring device (IDS) to enp10s0, and I want to send a copy of all the ethernet traffic seen on enp5s0.12@enp5s0, enp5s0.14@enp5s0 and enp5s0.15@enp5s0 to that device on enp10s0.
Case 2:
I do the same as in case 1, except that the IDS device is connected to enp8s5.12@enp8s5. I want to send a copy of the traffic seen on enp5s0.12@enp5s0, enp5s0.14@enp5s0 and enp5s0.15@enp5s0 to enp8s5.12@enp8s5.
How can this be achieved? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3193
|
Posted: Fri Sep 27, 2019 9:34 am Post subject: |
|
|
Check out iptables TEE target. Looks promising.
Since you're crossing vlans, I assume you're doing some routing there anyway, so all the traffic you're interested in will be passing through your firewall anyway.
For the record, you can filter bridged traffic with iptables too if you enable it via sysctl.
man iptables-extensions wrote: | TEE
The TEE target will clone a packet and redirect this clone to another
machine on the local network segment. In other words, the nexthop must be
the target, or you will have to configure the nexthop to forward it further
if so desired.
--gateway ipaddr
Send the cloned packet to the host reachable at the given IP address.
Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
To forward all incoming traffic on eth0 to an Network Layer logging box:
-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1
|
|
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 888
|
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 888
|
Posted: Fri Sep 27, 2019 12:05 pm Post subject: |
|
|
I ran this command, but I got an error:
Code: | # iptables -t mangle -I PREROUTING -i enp5s0.11 -j TEE -–gateway 10.215.144.81
iptables v1.4.21: unknown option "TEE"
|
This is my iptables package if I wanted to upgrade it:
Code: | [ebuild U ] net-libs/libnetfilter_conntrack-1.0.7::gentoo [1.0.4::gentoo] USE="-static-libs" 339 KiB
[ebuild r U ] net-firewall/iptables-1.6.1-r3:0/12::gentoo [1.4.21-r1:0/0::gentoo] USE="conntrack ipv6 -netlink -nftables% -pcap% -static-libs" 607 KiB
[ebuild r U ] sys-apps/iproute2-4.17.0-r1::gentoo [4.4.0::gentoo] USE="berkdb iptables ipv6 -atm -caps% -elf% -minimal (-selinux)" 660 KiB
|
Code: | # emerge --info net-firewall/iptables
Portage 2.3.6 (python 3.4.5-final-0, default/linux/amd64/17.0, gcc-5.4.0, glibc-2.23-r4, 4.9.34-gentoo x86_64)
=================================================================
System Settings
=================================================================
System uname: Linux-4.9.34-gentoo-x86_64-AMD_FX-tm-8320_Eight-Core_Processor-with-gentoo-2.3
KiB Mem: 32865056 total, 6601600 free
KiB Swap: 37036988 total, 36997440 free
Timestamp of repository gentoo: Thu, 25 Apr 2019 21:30:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.28 p1.2) 2.28
app-shells/bash: 4.3_p48-r1::gentoo
dev-lang/perl: 5.24.1-r2::gentoo
dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo
dev-util/pkgconfig: 0.28-r2::gentoo
sys-apps/baselayout: 2.3::gentoo
sys-apps/openrc: 0.26.3::gentoo
sys-apps/sandbox: 2.10-r3::gentoo
sys-devel/autoconf: 2.69::gentoo
sys-devel/automake: 1.15.1-r2::gentoo
sys-devel/binutils: 2.28-r2::gentoo
sys-devel/gcc: 5.4.0-r3::gentoo
sys-devel/gcc-config: 1.7.3::gentoo
sys-devel/libtool: 2.4.6-r3::gentoo
sys-devel/make: 4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc: 2.23-r4::gentoo
Repositories:
gentoo
location: /usr/portage
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
CustomOverlay
location: /usr/local/portage
masters: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/lib64/fax /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /var/bind /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news nostrip parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl ads amd64 apache2 berkdb bzip2 cli cluster crypt cxx dri fortran freetds gdbm iconv ipv6 jbig kerberos ldap libtirpc logrotate multilib ncurses nls nptl odbc openmp openrc pam pcre python radius readline samba seccomp ssl tcpd unicode winbind xattr zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx f16c fma3 fma4 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 xop" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-1" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
=================================================================
Package Settings
=================================================================
net-firewall/iptables-1.4.21-r1::gentoo was built with the following:
USE="conntrack ipv6 -netlink -static-libs" ABI_X86="(64)"
|
On the other hand, the iptables-extensions man page does show the TEE example syntax.
Code: | # grep TEE /usr/src/linux/.config
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
# CONFIG_HID_STEELSERIES is not set
|
Code: | # modprobe xt_TEE
# lsmod | grep -i tee
xt_TEE 1961 0
nf_dup_ipv6 1341 1 xt_TEE
nf_dup_ipv4 1341 1 xt_TEE
x_tables 12182 58 xt_LOGMARK,xt_comment,ipt_rpfilter,xt_hashlimit,xt_LOG,xt_ACCOUNT,xt_multiport,ipt_REJECT,xt_pkttype,xt_owner,xt_geoip,xt_nat,arp_tables,iptable_mangle,xt_statistic,ip_tables,xt_time,iptable_filter,xt_condition,xt_length,xt_set,xt_ipp2p,xt_iface,xt_mark,xt_socket,xt_mac,xt_dscp,xt_tcpudp,xt_realm,iptable_raw,xt_tcpmss,xt_NETMAP,ipt_MASQUERADE,xt_connmark,xt_limit,xt_TPROXY,xt_CHECKSUM,xt_recent,xt_NFQUEUE,arptable_filter,xt_helper,ip6table_filter,xt_IPMARK,xt_connlimit,xt_addrtype,xt_policy,xt_DSCP,xt_iprange,xt_TEE,xt_CT,xt_CLASSIFY,xt_physdev,xt_conntrack,ip6_tables,xt_TARPIT,xt_REDIRECT,xt_TCPMSS,xt_NFLOG |
However, I'm still getting:
Code: | unknown option "TEE" |
Do I need to enable the pcap use flag for iptables? (it doesn't seem to be related, or is it?)
What am I missing? |
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 888
|
Posted: Tue Oct 01, 2019 8:59 am Post subject: |
|
|
Somehow, copying and pasting via ssh sessions sometimes leads to the errors seen above. So the above questions are now answered.
However, I now use this command:
Code: | # iptables -t mangle -I POSTROUTING -o enp5s0.11 -j TEE --gateway 10.215.246.15
|
The IDS host's NIC (gateway) is working at 1000Mb/s according to ethtool.
Tcpdump and iptraf-ng on that NIC show lots of packets (duplicates), so at first it seems to be working fine. However, it soon comes to a crawl and freezes for a while. It then works again, but freezes several times again too. And so on...
CPU and RAM are apparently fine according to top.
iptraf-ng reports peaks around 75Mb/s right before the screen freezes, so I'm apparently still far away from the 1000Mb/s link speed.
How can I further debug this?
Is the system/NIC truly overwhelmed with packets?
How can I be sure about this?
Thanks |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|