Linux – Duplication of UDP traffic to two ports on localhost

iptableslinuxlinux-networkingnetworkingudp

I need to redirect incoming UDP traffic to two services listening different UDP ports on localhost.
I tried:

iptables -t nat -I PREROUTING -p udp -d 10.11.12.13 --dport 22 -j DNAT --to-destination 127.0.0.1:1234 --to-destination 127.0.0.1:4321

But the error was:

iptables v1.6.0: DNAT: Multiple –to-destination not supported

The same thing with --to-ports option:

iptables v1.6.0: REDIRECT: option "–to-ports" can only be used once

Then I tried iptables TEE. But in --gateway option it implies just IP address, so I can't do even like:

iptables -t mangle -I PREROUTING -p udp -d 10.11.12.13 --dport 22 -j TEE --gw 127.0.0.1:1234

Is there a way to "duplicate" UDP traffic using iptables or in some other handy way in Linux?

P.S. The question is about one-direction UDP traffic (e.g. incoming syslog traffic). It's obviously that it has nothing to do with TCP in such ~~scam~~scheme, because TCP has connection and it's impossible to establish connection from one port to two another ports. But it seems that it can be done with UDP (because there is no need to establish a connection).

Some posts that сlarified the situation, but didn't help:
1, 2 and 3.

Best Answer

The only other thing I could think of is to capture the traffic using some packet sniffer and then resend it to another destination.

Check the following links:

https://linux.die.net/man/1/tcpreplay-edit

https://linux.die.net/man/1/tcpreplay

http://tcpreplay.synfin.net/wiki/tcprewrite

In my understanding it could look similar to the following: tcpdump -i eth1 -w - 'udp and port 80' | tcprewrite --portmap=80:8080 | tcpreplay -i eth1 - OR something like this based on the "tcpreplay-edit" article: tcpdump -i eth1 -w - 'udp and port 80' | tcpreplay --portmap=80:8080 -i eth1 -

Related Solutions

Iptables string

That won't work. Only the first packet of every connection cross the NAT table. The strings only will be visible in the third packet, the one with the payload.

You should use a proxy to do that, in transparent mode if you don't want to configure it in the browsers.

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

I would say this is wrong approach. In any case, I wouldn't want to have JBoss (nor tomcat) to manage direct connections other then for test purpose. It's not designed to manage directly outside connections.

Option 1 Have apache web server proxy to 127.0.0.1:8080

You need this somewhere in your apache setup

LoadModule proxy_module  {path-to-modules}/mod_proxy.so
AddModule  mod_proxy.c

Or with apache2

$ sudo a2enmod proxy
$ sudo apache2ctl restart

And in virtual hosts you could have several apps

ProxyPass         /myapp  http://localhost:8080/myapp
ProxyPassReverse  /myapp  http://localhost:8080/myapp

or have a unique one

ProxyPass         /  http://localhost:8080/
ProxyPassReverse  /  http://localhost:8080/

after changing virtual hosts setting, no need to restart apache

$ sudo apache2ctl graceful

will update settings without dropping ongoing connections.

Option 2, using mod_ajp

$ sudo a2enmod proxy_ajp
$ sudo apache2ctl restart

adding this to your virtualhost

ProxyPass /app ajp://backend.example.com:8009/app

Assuming tomcat instance is configured to have ajp connector on port 8009. Check tomcat settings.

http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html

Option 3, using mod_jk http://tomcat.apache.org/connectors-doc/

You'll still have the other issue that is to configure JBoss as to create links to :80, that will be a JBoss setting problem... can't remember where it's set, all I can remember is that it took me a while to find out. I've preferred using the ajp connector so far.

Sorry, I don't have have access to a JBoss setup right now, perhaps someone can point us where is that setting.

Best Answer

Related Solutions

Iptables string

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

Related Topic