Linux – Forward all traffic when connected to a hub

I have a Ubuntu with two NICs. eth0 is connected to a hub and eth1 is connected to Internet. eth1 is used to do a point to point VPN using openVPN. So I have a tun0 interface. the VPN tunnel endpoints are 10.9.0.1 (binded on eth1) and 10.9.0.2 (remote peer). I want to forward/mirror all traffic received on eth0 (hub side) to the VPN peer 10.9.0.2. To do that, I created the following iptables rules.

sudo iptables -t mangle -A PREROUTING -i eth0 -j TEE --gateway 10.9.0.2

And of course, I set eth0 in promiscuous mode.

sudo ifconfig eth0 promisc

And I even activated ip forwarding

sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

When I sniff on eth0 (hub side), I see all traffic but when I sniff on 10.9.0.2 (remote VPN peer), I only see multicast traffic received on eth0. My question is: Why the non-multicast or dedicated unicast traffic is not mirrored/forwarded?

Note: If I sniff on tun0 on my Ubuntu server, I only see the multicast traffic and dedicated unicast traffic. So I conclude that the problem is not located on the iptables rules but before…

Thank you and best regards.

-A PREROUTING -p vrrp -j DROP -A PREROUTING -p ospf -j DROP -A PREROUTING -d 255.255.255.255/32 -j DROP -A PREROUTING -p udp --sport 53 -j DROP -A PREROUTING -p tcp --sport 53 -j DROP -A PREROUTING -i eth0 -j TEE --gateway 10.9.0.2

Best Answer

I finally found the solution. The idea given by @MrMajestyk has helped me. Here is my solution.

First, it is necessary to use ebtables to modify destination MAC address of the received packet in order that the IP stack's code receive the packet. If I don't do that at Ethernet layer, the network layer never receives the frames except multi-cast, broadcast and dedicated unicast. And if network layer never receives all the packets, it is not possible to handle them with iptables. But for this ebtables rule works, it is necessary to create a bridge interface with the incoming (hub side) interface on it.

sudo ifconfig eth0 10.9.0.5
sudo brctl addbr br0 
sudo brctl addif br0 eth0 
sudo ifconfig br0 up

Then we can create the ebtables rules.

sudo ebtables -t broute -A BROUTING -i eth0 -j redirect --redirect-target DROP

Then, I can use iptables to mirror my traffic received toward my VPN remote peer (10.9.0.2).

sudo iptables -t raw -A PREROUTING -i eth0 -j TEE --gateway 10.9.0.2

Please note that I use tunnel interface (tun) instead of ethernet bridge (tap). After that, I am able to sniff the on the remote peer 10.9.0.2 and I can see all traffic (except ARP for example).

I can even filter my traffic but it is necessary to do it inside the raw table, prerouting chain before the -j TEE --gateway rules. Look for example my iptables raw, prerouting entries.

Thank you for your help

Best Answer

Related Solutions

Linux – Port forward + openVPN + iptables

Linux – iptables to block VPN-traffic if not through tun0

Related Topic