0

I've just setup a new CentOS 6.4 machine to act as a default gateway for the LAN at head office. It's primary task is simply to route traffic to the appropriate place, ie VPN servers or the firewall server. This is working.

However we want to monitor the traffic going through this machine. So I've installed

  • ntopng and that only sees a few MB instead of GB of the traffic, so I've removed that
  • and put the older ntop on, and that's doing the same
  • tried iptraf and I think that's not seeing the traffic either
  • tried creating some iptables accept rules and the command: iptables --list -v -n --line-numbers and that still does not see much of the traffic traversing through the gateway machine.

Notes on the network setup

  • Modem has
    • IP 192.168.2.3/24
    • NAT Enabled
    • DMZ pointing to 192.168.2.252
  • Firewall has
    • eth1 IP 192.168.2.252/24
    • eth0 IP 192.168.0.254/24
  • CentOS gatway machine has
    • eth0 IP 192.168.0.241/24
    • eth0:1 (same nic) IP 192.168.1.241/24
    • default gateway of 192.168.0.254
    • /etc/sysconfig/network has the line FORWARD_IPV4=true
    • /etc/sysconfig/network-scripts/route-eth0 has a bunch of lines like 192.168.5.0/24 via 192.168.1.2
  • VPN Servers
    • IP Addresses in the 192.168.1.0/24 range such as 192.168.1.2
  • client machines have
    • IP addresses in the range 192.168.0.50 - 192.168.0.150
    • default gateway of 192.168.0.241

How can the gateway machine not see the traffic going through it from the client machines when they are browsing the web? and what do you suggest I do to fix the traffic monitoring capabilities of this machine?

My guess is the OS is configured incorrectly for this to work. However I don't see how. Apart from having a 2nd IP address it is configured very similarly to how we have another branch setup, and that one is working.

BeowulfNode42
  • 2,615
  • 2
  • 19
  • 32
  • Skip all the fancy tools. Until you can get `tcpdump -qni eth0` to see all the packets you want to capture you are wasting your time with the other tools. – Zoredache Sep 26 '13 at 00:39

1 Answers1

2

How can the gateway machine not see the traffic going through it from the client machines when they are browsing the web?

It can't see all the traffic. You need to put it in-line (or perform some ugly NAT hacks.)

  • Lets say one of your client machines 192.168.0.50 makes a connection to the Internet. So it forwards to the default gateway 192.168.1.241.
  • Now 192.168.1.241 has the packet, and forwards it to your firewall 192.168.0.254.
  • Your firewall does whatever does, which probably includes NAT. Anyway lets assume the packet was sent and a reply is on the way back.
  • The firewall has a reply and it is destined for 192.168.0.50. Because 192.168.0.50 is on a subnet local to the firewall it connects directly and delivers it, the reply never gets to 192.168.1.241.

TLDR, when thinking about routing, do your best to you need to think about the destination address in the packet and the route table for each specific device. For get about the path you think it should go, or the path the packet followed when traveling in the other direction.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • That makes a lot of sense, thank you. The branch that is working like this, must be encapsulating the packets more, so the traffic returns via the same path. We'll have to reassess our network structure. I'm marking this as the answer even without confirming it is correct, as it will take some time to implement the changes needed. – BeowulfNode42 Sep 27 '13 at 00:08
  • Turning on masquerading is what encapsulates the packets so they return via the same path. We forgot to use the command "iptables --table nat --append POSTROUTING -j MASQUERADE" to enable this feature. – BeowulfNode42 Dec 03 '13 at 04:32