5

I have a trouble configuring iptables to do this: some clients send messages to a server. I want that the host server processes the messages locally (host A, as normal) but that additionally for each message (tcp packet) sends a copy of the packet to another host (host B, that runs a modified version of the server and I want see how is the behaviour with the same messages, so that I can compare both servers). It should be done with iptables. I have tried with the following commands. These send the packet to B but the message is not processed by the host A (should be done by the 2nd command?).

iptables -t nat -A PREROUTING -p tcp --dport 31090 -j DNAT --to-destination IP_HOST_B:32090
iptables -t nat -A POSTROUTING -p tcp --dport 32090 -j SNAT --to-source IP_HOST_A:31090

What I've missed in my configuration to accomplish my goal?

Thank you.

Improve this question

1 Answer 1

Reset to default
3

A few notes:

  • SNAT does not work the way you described it in the description, SNAT replaces the source IP, it won't change the destination IP. After a packet goes through your 2 rules, it will have:
    • source: IP_HOST_A:31090
    • destination: IP_HOST_B:32090
  • neither DNAT or SNAT targets are capable of duplicating packets

In order to duplicate packets, you can use the TEE target , cf man iptables-extensions:

TEE

   The TEE target will clone a packet and redirect this clone
   to another machine on the local network segment. In  other
   words, the nexthop must be the target, or you will have to
   configure the nexthop to forward it further if so desired.

   --gateway ipaddr
          Send the cloned packet to the host reachable at the
          given  IP  address.  Use of 0.0.0.0 (for IPv4 pack‐
          ets) or :: (IPv6) is invalid.

In your case, that would give:

iptables -t mangle -A POSTROUTING -p tcp --dport 31900 -j TEE --gateway IP_HOST_B

However, I doubt that this kind of packet copy will work well for your case, due to the fact that TCP is used. TCP is designed to establish a connection between a client and a server. Here, you would have a situation with one client and 2 servers: there will be issues.

Improve this answer
4
  • Thank you for your answer. Tee works only for hosts in the same subnet. It's not my case. I'have also tried VPNning both hosts and then TEEing packets from A to B but this didn't work. Commented Jul 11, 2017 at 13:25
  • Then, maybe you could use 2 rules: a first one doing nat PREROUTING DNAT towards the distant IP_B. And a second one doing mangle POSTROUTING TEE towards the local IP_A. Commented Jul 11, 2017 at 13:34
  • Now I'm thinking about this. If hosts are in VPN and in same subnet, why did it not work? Maybe could be that: the duplicated packet when it reaches the host B has already in the header the destination ip of A (or the TEE rule changes also the ip to B?), and then it should be changed with someone prerouting rule on the host B, so that the packet is accepted on B? Commented Jul 11, 2017 at 13:35
  • You're probably going to need some network capture to better debug this (tcpdump). You could also use some Iptables logging: backreference.org/2010/06/11/iptables-debugging/ Commented Jul 11, 2017 at 13:40

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.