1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Hard Crash With iptable Entries AC86U 384.8 alpha

Discussion in 'Asuswrt-Merlin' started by GHammer, Oct 28, 2018.

  1. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,300
    Location:
    UK
    Yeah, I guessed that might be the case. You could try to load the module manually but it's a long shot:

    modprobe xt_TEE

    Otherwise you'll have to speak nicely to @RMerlin or @john9527 and see if they can include that module.
     
  2. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    Code:
    modprobe: module xt_TEE not found in modules.dep
    Well, you learn something new everyday I guess.
    --tee is not equal to TEE
    Hopefully this can get addressed so I can solve my issue.

    Thanks for all the troubleshooting, I hardly ever have simple issues...
     
  3. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    6,096
    Location:
    United States
    @GHammer
    Can you verify the output of
    iptables -V
     
  4. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    iptables v1.4.15
     
  5. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    6,096
    Location:
    United States
    Wanted to make sure I didn't miss something....Why ASUS didn't update iptables along with the new kernel, I don't know (the 2.6.36 kernel is using 1.4.14).

    Not sure if adding TEE is going to work. I'm in the middle of some work on my fork right now, but will take a look later.
     
  6. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    Thanks John
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,300
    Location:
    UK
    Probably not relevant, but TEE is present on my Ubuntu box but that is running iptables v1.6.1.
     
  8. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    That's odd:
    Code:
    [email protected]:~# modprobe xt_TEE
    [email protected]:~# iptables -V
    iptables v1.6.1
    
     
  9. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,300
    Location:
    UK
    What is?
     
  10. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    Oops, I read router instead of Ubuntu.

    Closing all the terminals I have open...
     
  11. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    6,096
    Location:
    United States
  12. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    Thanks John.
    I actually see traffic that has been mirrored to my desktop.
    Here's the output of iptables-save:
    Code:
    [email protected]:/tmp/home/root# iptables-save -t mangle
    # Generated by iptables-save v1.4.15 on Fri Nov  9 23:02:42 2018
    *mangle
    :PREROUTING ACCEPT [5614:807111]
    :INPUT ACCEPT [3813:623631]
    :FORWARD ACCEPT [1797:182888]
    :OUTPUT ACCEPT [9019:1270012]
    :POSTROUTING ACCEPT [10818:1453384]
    -A PREROUTING -s 10.10.100.121/32 -j TEE --gateway 10.10.100.100
    COMMIT
    # Completed on Fri Nov  9 23:02:42 2018
    
    As an aside, that entry seems to terminate traffic on my desktop, not mirror it.
    At least the online services that the weather station feeds do not see traffic after enabling the TEE command.
    Code:
    iptables -t mangle -A PREROUTING -s 10.10.10
    0.121 -j TEE --gateway 10.10.100.100
    I'll try the statements I originally was using and see if I get a different result.
     
  13. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    Progress, the router no longeris unusable after I enter the iptables commands.
    But the traffic seems to be rerouted to the target IP, not mirrored.
    These are the only packets I receive on my desktop when I enter the iptables commands. Endless looking for DNS.
    Code:
    23:12:22.263031 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 3407+ A? rtupdate.wunderground.com. (43)
    23:12:23.262934 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 20770+ A? rtupdate.wunderground.com. (43)
    23:12:24.263022 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 41674+ A? api.ambientweather.net. (40)
    23:12:25.263295 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 52540+ A? rtupdate.wunderground.com. (43)
    23:12:25.263301 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 27642+ A? api.ambientweather.net. (40)
    23:12:25.263420 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 63174+ A? api.weathercloud.net. (38)
    23:12:26.262807 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 17361+ A? api.weathercloud.net. (38)
    23:12:27.262797 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 29945+ A? api.ambientweather.net. (40)
    23:12:27.381554 IP 10.10.100.121.4096 > one.one.one.one.domain: 11279+ A? rtupdate.wunderground.com. (43)
    
    These are the iptables commands I used:
    Code:
    iptables -t mangle -A PREROUTING -s 10.10.100.121 -j TEE --gateway 10.10.100.100
    iptables -t mangle -A POSTROUTING -d 10.10.100.121 -j TEE --gateway 10.10.100.100
    I first used only the PREROUTING, then when added the POSTROUTING.
    No difference.

    I'm calling it a day and will be back tomorrow.
     
  14. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,100
    Late to the party, but what is the objective here? To monitor all packets sent by the device while still allowing them to reach their intended destination?
     
  15. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    That is indeed the goal. Ideally changing the port as well but currently just to work.
     
  16. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,100
    I'm probably missing something, but why not -j LOG the packets, and then use a script to scrape them from syslog to somewhere else?
     
  17. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    The packets are used by a program that listens not read.
     
  18. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,300
    Location:
    UK
    The objective is not just to monitor the traffic but the capture all the data. LOG can't do that.
     
    Jack Yaz likes this.
  19. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,100
    gotcha
     
  20. GHammer

    GHammer Senior Member

    Joined:
    Jan 25, 2015
    Messages:
    201
    Well, let's see if we can finish this off at last.
    So, to recap, I want to get the traffic from .121 to appear at .115
    In a test from one desktop (.6) to my desktop (.100) it works fine. The source desktop can browse and such with no problem while my desktop gets a copy of all the traffic.
    Code:
    iptables -t mangle -A PREROUTING -s 10.10.100.6 -j TEE --gateway 10.10.100.100
    iptables -t mangle -A POSTROUTING -d 10.10.100.6 -j TEE --gateway 10.10.100.100
    Herein lies the problem. I need to change ports on the .121 traffic from 80 and 443 because there is an Apache server running on .115. Let's say I wanted to have it be 8000 and 4430.

    I have a feeling that more iptables entries will be needed, but what?

    P.S. @john9527 The TEE is only in your test load not available in RMerlin's 8_2
    Code:
    iptables -t mangle -A PREROUTING -s 10.10.10 0.6 -j TEE --gateway 10.10.100.100
    iptables: No chain/target/match by that name.