I'm wanting to log and monitor traffic passing through a particular point in my network. So ultimately I want all traffic passing through my bridge to be mirrored to the IP address of the IP of another system that is listening to any traffic sent to it.
Roughly my current setup is:
- monitoring/logging server with a monitoring interface setup in promiscuous mode
- linux bridge at the point in the network I want to monitor
- iptables rules to attempt to mirror traffic to alternative gateway
iptables -t mangle -A PREROUTING -j TEE --gateway <monitoring ip>iptables -t mangle -A POSTROUTING -j TEE --gateway <monitoring ip>
But so far I see no traffic flowing over any interface to the monitoring ip unless I try to ping it directly (of which then I can see the traffic on both bridge and monitoring port).
There is another problem that might be of note. I had to put in a static route for the ARP resolution for the monitoring port, because for some reason it would always put the management port's MAC as the address. Haven't identified why the bridge gets the management MAC address against the monitoring ip when no other client does on the network.
Any advice would be appreciated, sorry if I haven't provided enough clear details.
Best Answer
By default switched frames don't be passed through iptables rules. To change this behaviour you should enable the nf_call_iptables option on the bridge interface (with ip command or through /proc filesystem)
ip link set dev br0 type bridge nf_call_iptables 1To limit the monitoring traffic use the --phys-dev match in iptables rules.