iptables duplicate traffic to another ip

Solution 1:

The ROUTE patch is a kernel patch which needs to be applied to the Linux Kernel source code for iptables to work: you can find here all relevant information. However, the patches detailed in this Web page are quite old (2005) and I am not sure they work properly on new kernel releases.

Instead, new iptables extensions are detailed here and these do work. In particular, it is stated that:

iptables can use extended target modules: the following are included in the standard distribution.

and thus they should be available to anyone with a standard Linux release. One of the target extensions is TEE, for which they state:

TEE

The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired.

--gateway ipaddr

Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.

To forward all incoming traffic on eth0 to an Network Layer logging box:

-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1

The name TEE is clearly intended to remind one of the standard tee command, which reads from standard input and clones the output (that just goes to standard output) to a user-specified file. Same thing here with packets: packets to which the rule applies are duplicated, one being sent to its intended destination, while the newly minted clone is sent to the spying target.

Thus, to clone all incoming and outgoing traffic for pc 192.168.1.15 on your router (say, 192.168.1.1). and redirect to a spying pc 192.168.1.100, use:

 iptables -t mangle -A PREROUTING -d 192.168.1.15 -j TEE --gateway 192.168.1.100
 iptables -t mangle -A PREROUTING -s 192.168.1.15 -j TEE --gateway 192.168.1.100