Port Mirroring with iptables

I have tested in Ubuntu 14 (I don’t know about other distros). As you know, sometimes port mirroring is useful for monitoring the network traffic for intrusion detection system,Passive probing, etc. Basically, it sends a copy of packet to destination which was received on the interface(depends on your configuration). And again depends on your need, you can use Netflow also.

Netflow captures 7 values from the packet(For E.g. source IP, Destination IP and thier TCP port, etc), unlike mirrored traffic which has the entire packet. Port mirroring and netflow are both would causes stress on machine(But compared to mirroring, netflow would cause less stress and optimized, because it is capturing only 7 values)

topo

This is our topology, I used VMware.

  • Ubuntu                10.20.0.128
  • BOX-2                  10.20.0.129
  • Windows XP       10.20.0.130

We will apply port mirroring configuration at “Ubuntu Server”, i.e. we are mirroring the traffic to “BOX-2” from “Ubuntu Server”. After this configuration, we will test the mirroring by send traffic from “Ubuntu Server” to “Windows XP”(Ping: Ubuntu Server –> Windows XP)

Commands to mirror

iptables -t mangle -I PREROUTING -j TEE –gateway 10.20.0.129
iptables -t mangle -I POSTROUTING -j TEE –gateway 10.20.0.129

6

We need both inbound and outbound traffic, so

  • “PREROUTING” is before routing decision happens
  • “POSTROUTING” is after routing decision

Ok, the rules are applied, lets ping “Windows XP client” from “Ubuntu”. Now as you can see the ping traffic from “Ubuntu Server” to “Windows” in “BOX-2″(Verified with tcpdumps

tcpdump -i any -n

4

3

To view the iptables

iptables -t mangle -S

or

iptables -t mangle -L

8

To remove:

iptables -t mangle -D PREROUTING -j TEE –gateway 10.20.0.129
iptables -t mangle -D POSTROUTING -j TEE –gateway 10.20.0.129

7

As you can see in above screenshot, the rules were deleted after I ran those commands.So, that completes our objective 🙂

Regards,

Veerendra. Kakumanu

 

Advertisements

One thought on “Port Mirroring with iptables

  1. I’m still learning from you, while I’m trying to achieve my goals. I definitely enjoy reading everything that is written on your website.Keep the tips coming. I loved it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s