Clone a packet - iptables

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
Is it possible to 'clone' a packet using iptables?
I would like to do something like
- -A INPUT -p tcp --dport 1111 -j DNAT --to-destination host_a
- --to-destination host_b
but without the round-robin load balancing, so that the packet coming to
port 1111 is sent to host_a AND host_b.

Or perhaps it can be done with BSD's packet filter?

- --
Piotr Szczap
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEOmuyQtNF0qNPlOERAj4mAJ9oNGvHvFRIcLjOztrpA90hUQT9CgCf QEZB
Wqern5KavSpSzQcV7+y9ihA=
=79wV
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Clone a packet - iptables

--nextPart1731792.zcvcVfhUoQ
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi,

Am Montag 10 April 2006 16:29 schrieb Piotr Szczap:
> Hello,
> Is it possible to 'clone' a packet using iptables?
> I would like to do something like
> -A INPUT -p tcp --dport 1111 -j DNAT --to-destination host_a
> --to-destination host_b
> but without the round-robin load balancing, so that the packet coming to
> port 1111 is sent to host_a AND host_b.
>
> Or perhaps it can be done with BSD's packet filter?

I bet Linux' netfilter can't do this. Think about your tcp connection's=20
partner: it will receive ACK flags from two processes on the destination=20
machine. Your tcp connection won't survive for long.

Kind regards,
=2D-=20
Mit freundlichen Grüßen

i.A. Martin Klier
Systemadministration / Datenbanken
=2D--------------------------------------------------------- -------
A.T.U Auto-Teile-Unger
Handels GmbH & Co. KG
Dr.-Kilian-Straße 4
D-92637 Weiden i. d. OPf.

--nextPart1731792.zcvcVfhUoQ
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQBEO1DgVKZfihvnEcQRAqtGAKCgRisOzuTSBE5G1v8/b9uOdsdqzQCf Srjt
jMlBiPTpbbeVmOC3tfwJwDs=
=FTHD
-----END PGP SIGNATURE-----

--nextPart1731792.zcvcVfhUoQ--
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Clone a packet - iptables

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Klier wrote:
>
> I bet Linux' netfilter can't do this. Think about your tcp connection's
> partner: it will receive ACK flags from two processes on the destination
> machine. Your tcp connection won't survive for long.

You're right ofcourse but I made a mistake in my question:
I want to clone UDP not TCP. Does this change anything?


Regards,
Piotr Szczap
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEO3MzQtNF0qNPlOERAqsUAJ99eZ/kkVRPgDrjmHg/wea2+EF0DwCf ZAAC
/0bDZzqmNLIM577ZMXglmtk=
=R/iQ
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Clone a packet - iptables

If I remember correctly.....won't the sequence numbers be out of whack
due to multiple transactions? Would this result in corrupted data? Or a
dropped connection?

Tom Callahan
TESSCO Technologies
Desk: (410)-229-1361
Cell: (410)-588-7605
Email: callahant@tessco.com

A real engineer only resorts to documentation when the keyboard dents on the forehead get too noticeable.



Piotr Szczap wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Martin Klier wrote:
>
>
>>I bet Linux' netfilter can't do this. Think about your tcp
>>
>>
>connection's
>
>
>>partner: it will receive ACK flags from two processes on the
>>
>>
>destination
>
>
>>machine. Your tcp connection won't survive for long.
>>
>>
>
>You're right ofcourse but I made a mistake in my question:
>I want to clone UDP not TCP. Does this change anything?
>
>
>Regards,
>Piotr Szczap
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.7 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFEO3MzQtNF0qNPlOERAqsUAJ99eZ/kkVRPgDrjmHg/wea2+EF0DwC fZAAC
>/0bDZzqmNLIM577ZMXglmtk=
>=R/iQ
>-----END PGP SIGNATURE-----
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin"
>in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Clone a packet - iptables

Piotr Szczap wrote:
> You're right ofcourse but I made a mistake in my question:
> I want to clone UDP not TCP. Does this change anything?

If you are wanting this for monitoring/debugging/IDS, etc. you are much
better off with a monitoring port on your switch..

cheers
-a
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html