7

I'm looking to duplicate UDP traffic for SYSLOG and NetFlow data and was hoping to use iptables to do so, but so far I'm not having much luck.

I'm aware of other user space software packages that can accomplish this, but they don't seem very well maintained by their developers, so I'd prefer to avoid them if at all possible.

syn-
  • 493
  • 3
  • 7
  • 10
  • 3
    possible duplicate of [Copying packets from an interface to another](http://serverfault.com/questions/225178/copying-packets-from-an-interface-to-another) – Zoredache Feb 16 '11 at 23:53
  • I'm unsure what you mean by duplicate. If you mean log twice the logging targets of iptables are non terminating, and if you mean literally create a secondary packet and forward it to some other machine there's a target that does that, too. – Robbie Mckennie May 23 '13 at 02:21

1 Answers1

7

You could use the iptables TEE target as long you have the xt_TEE modules in your kernel. You can duplicate packets incoming in your box and send them to another server in your LAN.

Es. to duplicate all incoming dns requests and send them to server 192.168.0.10

iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 53 -j TEE --gateway 192.168.0.10

Another solution is to use a userspace program as http://code.google.com/p/port-mirroring/

nrc
  • 1,161
  • 8
  • 8
  • will this preserve the source ip of the incoming packets when they hit the gateway 192.168.0.10 ? – Amistad Feb 04 '15 at 20:59
  • 1
    @Amistad: https://code.google.com/p/port-mirroring/ says: "iptables simply modifies the ethernet header of the original packets to the target host's MAC address. Therefore, you can not get the original source and destination mac addresses. Also, the target host must be in the same subnet as the mirroring source." – Peter V. Mørch Jun 26 '15 at 04:00
  • Heads Up: the https://code.google.com/p/port-mirroring/ link seems to be for openwrt only. – Peter V. Mørch Jun 26 '15 at 04:03