I receive traffic from a mirrored port and I would like to send it into an NFQUEUE for processing. Because of the mirrored port, the packets destination MAC addresses are not my host MAC address. Therefore traffic never reaches my NFQUEUE. (if I take one packet and I use Scapy to manually replace the destination MAC address with my host MAC address, it works)
It doesn't works with the mirrored port even with an iptable rules that apply as soon as possible in the filtering pipeline:
iptables -A PREROUTING -t raw -j NFQUEUE --queue-num 1
As mentioned in some other threads, I tried to create a bridge on my interface and filter traffic using the following commands.
tunctl -u root
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 tap0
brctl setfd br0 0
brctl stp br0 off
ifconfig br0 up
ifconfig eth0 up 0.0.0.0
ifconfig tap0 up 0.0.0.0
echo 0 > /sys/class/net/br0/bridge/ageing_time
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
iptables -F
iptables -A FORWARD -j NFQUEUE --queue-num 1
But even this solution does not solve my problem. Traffic doesn't go through the bridge because of the bridge-nf-call-iptables directive. However I'm not able to get packets in my queue.
By the way, my kernel version is 3.13.0-32.
I'm looking for any solution that allows to put received packet with random mac address into my NFQUEUE.
Thanks for your help,
Julien
Best Answer
Your kernel ignores packages that are not addressed to the local network interfaces. You should change eth0 to promiscuous mode:
You could make this persistent via the network configuration:
Debian
Redhat