iptables + TEE doesn't work correctly
 

Hello,

On my server, I want to duplicate all the traffic to an other host.
I use iptables with TEE module :
iptables -t mangle -A PREROUTING -i eth0 -j TEE --gateway IP_SERVER2

I check the rule : iptables -t mangle -L

=> The rule is here but it doesn't work... The other server receive nothing.

when I do a tcpdump : tcpdump dst IP_SERVER2
=> 0 packets received by filter

I tried to enable /proc/sys/net/ipv4/ip_forward, /proc/sys/net/ipv4/conf/all/accept_redirects, /proc/sys/net/ipv4/conf/all/send_redirects.
I changed to 1 the net.ipv4.ip_forward option in /etc/sysctl.conf, it still doesn't work.


Have you got an idea what's wrong?

have you tried logging?

When I do :
I have this:
PRE_ERROR IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=IP_HOST DST=IP_SERVER1 LEN=76 TOS=0x00 PREC=0x00 TTL=115 ID=31287 DF PROTO=TCP SPT=49383 DPT=22 WINDOW=251 RES=0x00 ACK PSH URGP=0
POST_ERROR IN= OUT=eth0 SRC=IP_HOST DST=IP_SERVER1 LEN=76 TOS=0x00 PREC=0x00 TTL=114 ID=31287 DF PROTO=TCP SPT=49383 DPT=22 WINDOW=251 RES=0x00 ACK PSH URGP=0
POST_ERROR IN= OUT=eth0 SRC=IP_SERVER1 DST=IP_HOST LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=62075 DF PROTO=TCP SPT=22 DPT=49383 WINDOW=206 RES=0x00 ACK URGP=0

I think I found the problem : IP_SERVER2 is not in the same network than IP_SERVER1.

There is a solution to duplicate packets to another network?

Ethernet packets are layer 2 the only way to get packets to pass between logical separated subnets is to bridge the networks. It might work if you bridge the interfaces of the two networks. This could have unintended consequences though, to be honest not sure what exactly would happen.

I've done a vpn connection between the two servers (in order to be in the same private network) and now the duplication works great.
Thanks you.

Glad you've gotten it working.