Site icon Free Linux Tutorials

copy and send (tee) packets from a mirrored interface using iptables and ebtables

Objective: to copy/send or tee packets coming from enp3s4f1 and send to a destination IP via the enp3s4f0 management/data port
ServerA = enp3s4f1 (connected to a switch1 span port) (no IP address)
enp3s4f0  (connected to switch2 as management/data port)
(IP is 192.168.100.99)
ServerB destination IP = 192.168.100.100  (same IP range)

This is based on commer’s post in LQ below:

http://www.linuxquestions.org/questions/linux-networking-3/how-to-route-forward-packets-in-promiscuous-mode-832698/

  1. Configure  the bridge interface and bind enp3s4f1  into it. Disable Spanning Tree Protocol (STP) if necessary. Bring up the bridge interface

#brctl addbr br0
#brctl stp br0 off
# brctl addif br0 enp3s4f1
#ifconfig br0 up

2. Use ebtables to redirect the mac addresses of incoming packets to machine’s physical device

#ebtables -t broute -A BROUTING -i enp3s4f1 -j redirect –redirect-target DROP

3. Configure static route all expected incoming IP address/subnets
e.g.

#ip route add 192.168.20.192/27 dev enp3s4f1
#ip route add 192.168.20.224/27 dev enp3s4f1

4. Tee the packets (sample filter DCHP packets) and send to 192.168.100.100

#iptables -t mangle -A PREROUTING -i enp3s4f1 -p udp –dport 67:68 –sport 67:68 ! -d 192.168.100.0/24 -j TEE –gateway 192.168.100.100

Note: I configured exceptions on the same destination IP range to avoid double tee
use the command “iptables -t mangle -L -v” to see if tee packets are incrementing

Tested working using CentOS 7

Exit mobile version