Clone a packet - iptables
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
Is it possible to 'clone' a packet using iptables?
I would like to do something like
- -A INPUT -p tcp --dport 1111 -j DNAT --to-destination host_a
- --to-destination host_b
but without the round-robin load balancing, so that the packet coming to
port 1111 is sent to host_a AND host_b.
Or perhaps it can be done with BSD's packet filter?
- --
Piotr Szczap
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEOmuyQtNF0qNPlOERAj4mAJ9oNGvHvFRIcLjOztrpA90hUQT9CgCf QEZB
Wqern5KavSpSzQcV7+y9ihA=
=79wV
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo [at] vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Clone a packet - iptables
--nextPart1731792.zcvcVfhUoQ
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi,
Am Montag 10 April 2006 16:29 schrieb Piotr Szczap:
> Hello,
> Is it possible to 'clone' a packet using iptables?
> I would like to do something like
> -A INPUT -p tcp --dport 1111 -j DNAT --to-destination host_a
> --to-destination host_b
> but without the round-robin load balancing, so that the packet coming to
> port 1111 is sent to host_a AND host_b.
>
> Or perhaps it can be done with BSD's packet filter?
I bet Linux' netfilter can't do this. Think about your tcp connection's
partner: it will receive ACK flags from two processes on the destination
machine. Your tcp connection won't survive for long.
Kind regards,
=2D-
Mit freundlichen Grüßen
i.A. Martin Klier
Systemadministration / Datenbanken
=2D--------------------------------------------------------- -------
A.T.U Auto-Teile-Unger
Handels GmbH & Co. KG
Dr.-Kilian-Straße 4
D-92637 Weiden i. d. OPf.
--nextPart1731792.zcvcVfhUoQ
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBEO1DgVKZfihvnEcQRAqtGAKCgRisOzuTSBE5G1v8/b9uOdsdqzQCf Srjt
jMlBiPTpbbeVmOC3tfwJwDs=
=FTHD
-----END PGP SIGNATURE-----
--nextPart1731792.zcvcVfhUoQ--
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo [at] vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Clone a packet - iptables
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Klier wrote:
>
> I bet Linux' netfilter can't do this. Think about your tcp connection's
> partner: it will receive ACK flags from two processes on the destination
> machine. Your tcp connection won't survive for long.
You're right ofcourse but I made a mistake in my question:
I want to clone UDP not TCP. Does this change anything?
Regards,
Piotr Szczap
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEO3MzQtNF0qNPlOERAqsUAJ99eZ/kkVRPgDrjmHg/wea2+EF0DwCf ZAAC
/0bDZzqmNLIM577ZMXglmtk=
=R/iQ
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo [at] vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Clone a packet - iptables
If I remember correctly.....won't the sequence numbers be out of whack
due to multiple transactions? Would this result in corrupted data? Or a
dropped connection?
Tom Callahan
TESSCO Technologies
Desk: (410)-229-1361
Cell: (410)-588-7605
Email: callahant [at] tessco.com
A real engineer only resorts to documentation when the keyboard dents on the forehead get too noticeable.
Piotr Szczap wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Martin Klier wrote:
>
>
>>I bet Linux' netfilter can't do this. Think about your tcp
>>
>>
>connection's
>
>
>>partner: it will receive ACK flags from two processes on the
>>
>>
>destination
>
>
>>machine. Your tcp connection won't survive for long.
>>
>>
>
>You're right ofcourse but I made a mistake in my question:
>I want to clone UDP not TCP. Does this change anything?
>
>
>Regards,
>Piotr Szczap
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.7 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFEO3MzQtNF0qNPlOERAqsUAJ99eZ/kkVRPgDrjmHg/wea2+EF0DwC fZAAC
>/0bDZzqmNLIM577ZMXglmtk=
>=R/iQ
>-----END PGP SIGNATURE-----
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin"
>in
>the body of a message to majordomo [at] vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo [at] vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Clone a packet - iptables
Piotr Szczap wrote:
> You're right ofcourse but I made a mistake in my question:
> I want to clone UDP not TCP. Does this change anything?
If you are wanting this for monitoring/debugging/IDS, etc. you are much
better off with a monitoring port on your switch..
cheers
-a
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo [at] vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
