Mirror Port via iptables

networking iptables linux-kvm

I have a dedicated Linux (Debian 7.5) root server, with a number of guests set up. The guests are KVM instances, and get network access via bridge-utils (NAT, internal IPs, use the host as a gateway).

E.g. one KVM is my WebServer guest, and it gets accessible via the host IP this way:

    iptables -t nat -I PREROUTING -p tcp -d 148.251.Y.Z 
--dport 80 -j DNAT --to-destination  192.168.100.X:80

I do the same with other services, keeping them self-contained, NATed and isolated.

But one guest is supposed to be a network monitor, and shall perform network traffic inspection (like an IDS). Usually, in a non virtual setup I would use VACLs or SPAN ports to mirror the traffic. Of course, inside this one host, I cannot do this (easily, because I don't want to use complex virtual switching approaches).

  1. Can I get a port mirror using iptables, and redirect all ingress and egress traffic to one KVM guest? All guests have a dedicated interface, like vnet1.
  2. Is it possible to selectively forward traffic, based on the protocol (like a VACL forward rule, which only grabs HTTP)?
  3. do the guests need a specific interface setup, when I need to keep vnet1 as a management interface (with an IP)?

I would be happy for a point into the right direction:

iptables         1.4.14-3.1
linux            3.2.55
bridge-utils     1.5-6

Thanks a lot :)


Solution 1:

what about prepending the root server pre-Routing module Mangle table rules by something like:

iptables -I PREROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee

and then prepending the post-Routing module Mangle table rules by something like

iptables -I POSTROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee

where 192.168.200.1 is the network monitor.

These rules will mirror all the incoming and outcoming traffic forwarding it to 192.168.200.1

edit:

mangle table specific
  -j ROUTE            (explicitly route packets, valid at PREROUTING)
      options:
      --iface <iface_name>
      --ifindex <iface_idx>

but you could also use use something like 

iptables -I PREROUTING –t mangle –i eth0 –j TEE –gateway 192.168.200.1

and

iptables -I POSTROUTING –t mangle –j TEE –gateway 192.168.200.1

where TEE now is a target which at PREROUTING takes more options like i.e. -i, -p, etc

Related

Stats - Likelihood function
Proving $\sqrt2$ is irrational
Subsubgroups are subgroups of subgroups / Multiplicative Property of the Index
Are Lie algebra complexifications $\mathfrak g_{\mathbb C}$ equivalent to Lie algebra structures on $\mathfrak g\oplus \mathfrak g$?
If $(Tx \mathbin{|} x) = 0$ for all $x$ then $T = 0$
Proving $n! \ge 2^{n-1 }$for all $n\ge1 $by mathematical Induction [duplicate]
Given an integer $a$, suppose $d=\gcd(3a+5,\,5a+7)>2$. Determine $d$.
Volume of a pyramid as a determinant?
Prove that $\sin^2(A) - \sin^2(B) = \sin(A + B)\sin(A -B)$
Legendre Polynomials: proofs $\int_{-1}^1P_n^2(x)dx=\frac{2}{(2n+1)}$
The Cartesian product of a finite number of countable sets is countable
Prove if $(a,p)=1$, then $\{a,2a,3a,...,pa\}$ is a complete residue system modulo $p$. [duplicate]