LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables + TEE doesn't work correctly (http://www.linuxquestions.org/questions/linux-networking-3/iptables-tee-doesnt-work-correctly-4175446905/)

stosba 01-23-2013 10:13 AM

iptables + TEE doesn't work correctly
 
Hello,

On my server, I want to duplicate all the traffic to an other host.
I use iptables with TEE module :
iptables -t mangle -A PREROUTING -i eth0 -j TEE --gateway IP_SERVER2

I check the rule : iptables -t mangle -L

=> The rule is here but it doesn't work... The other server receive nothing.

when I do a tcpdump : tcpdump dst IP_SERVER2
=> 0 packets received by filter

I tried to enable /proc/sys/net/ipv4/ip_forward, /proc/sys/net/ipv4/conf/all/accept_redirects, /proc/sys/net/ipv4/conf/all/send_redirects.
I changed to 1 the net.ipv4.ip_forward option in /etc/sysctl.conf, it still doesn't work.


Have you got an idea what's wrong?

pan64 01-25-2013 07:11 AM

have you tried logging?

stosba 01-25-2013 10:08 AM

When I do :
Code:

iptables -t mangle -A PREROUTING -j LOG --log-level error --log-prefix "PRE_ERROR ";
iptables -t mangle -A POSTROUTING -j LOG --log-level error --log-prefix "POST_ERROR ";

I have this:
PRE_ERROR IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=IP_HOST DST=IP_SERVER1 LEN=76 TOS=0x00 PREC=0x00 TTL=115 ID=31287 DF PROTO=TCP SPT=49383 DPT=22 WINDOW=251 RES=0x00 ACK PSH URGP=0
POST_ERROR IN= OUT=eth0 SRC=IP_HOST DST=IP_SERVER1 LEN=76 TOS=0x00 PREC=0x00 TTL=114 ID=31287 DF PROTO=TCP SPT=49383 DPT=22 WINDOW=251 RES=0x00 ACK PSH URGP=0
POST_ERROR IN= OUT=eth0 SRC=IP_SERVER1 DST=IP_HOST LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=62075 DF PROTO=TCP SPT=22 DPT=49383 WINDOW=206 RES=0x00 ACK URGP=0

stosba 01-28-2013 03:16 AM

I think I found the problem : IP_SERVER2 is not in the same network than IP_SERVER1.

There is a solution to duplicate packets to another network?

scheidel21 01-28-2013 07:14 AM

Ethernet packets are layer 2 the only way to get packets to pass between logical separated subnets is to bridge the networks. It might work if you bridge the interfaces of the two networks. This could have unintended consequences though, to be honest not sure what exactly would happen.

stosba 01-31-2013 02:23 AM

I've done a vpn connection between the two servers (in order to be in the same private network) and now the duplication works great.
Thanks you.

scheidel21 01-31-2013 11:40 AM

Glad you've gotten it working.


All times are GMT -5. The time now is 08:16 PM.