* Machine in the middle
@ 2013-08-21 17:11 Nestor A. Diaz
[not found] ` <CAHUGJcG9=wBzy256c2Rk1NMi8TSWp_DCUrqLoA5Tvo+3QgHYMA@mail.gmail.com>
2013-08-24 9:43 ` Pascal Hambourg
0 siblings, 2 replies; 3+ messages in thread
From: Nestor A. Diaz @ 2013-08-21 17:11 UTC (permalink / raw)
To: netfilter
Hi,
According to your experience what would be the best strategy to
intercept traffic from one machine to another and process some (not all)
request in a transparent way.
I explain, i have two machines:
192.168.1.1/24 <-> 192.168.1.2/24
All I want to do is to intercept traffic from a specific port(s), i.e.
4000/tcp and process it in a 'machine in the middle'.
192.168.1.1/24 <-> machine-in-the-middle <-> 192.168.1.2/24
The idea is that when 192.168.1.1 connects to 192.168.1.2:4000 then the
machine in the middle will answer those requests, but the remaining
traffic from 192.168.1.1 to 192.168.1.2 keep forwarding as is, and the
same for the opposite direction.
Thanks.
--
Nestor.Diaz.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Machine in the middle
[not found] ` <CAHUGJcG9=wBzy256c2Rk1NMi8TSWp_DCUrqLoA5Tvo+3QgHYMA@mail.gmail.com>
@ 2013-08-21 19:24 ` Nestor A. Diaz
0 siblings, 0 replies; 3+ messages in thread
From: Nestor A. Diaz @ 2013-08-21 19:24 UTC (permalink / raw)
To: Matty Sarro; +Cc: netfilter
Hi, thanks for your answer, I forgot to say that the ports I will be
intercepting are going to be redirected to a third host, so I can't just
listen or drop, I need to respond to those packets.
I am planning to use an openwrt router for this.
Initially I though that could be done with two routers as follows:
Original scenario:
192.168.1.1/24 <-> 192.168.1.2/24
New scenario:
192.168.1.1/24 <-> ( 192.168.1.2/24 natting to from 169.254.1.2/24) <->
( 169.254.1.1/24 natting to from 192.168.1.1/24) <-> 192.168.1.2/24
The idea is that every router take the other side IP address then DNAT
to a zeroconf ip address and send to the other one, the other router
will receive the packet and SNAT to the original IP address, problem
solved, I thought.
That way I could intercept the traffic in any of the two devices and
with another network interface I could send that packet to another host.
But I prefer a solution where I don't have to use two routers, can it be
done using just one router reinjecting the packet after the first NAT ?
Another option I was thinking is to define a router with two network
interfaces where I put an ip address of the other side as an alias and
then mark the packet, then put into another routing table and forward
via the other interface, seems confusing, I will try to explain:
192.168.1.1/24 <-> (eth0.1: 169.254.1.2/24,192.168.1.2/24 and eth0.2:
169.254.1.1/24,192.168.1.1/24) <-> 192.168.1.2/24
I will receive the packet from one side, then at the mangle stage I will
mark the packet, I will have just set up a new route table that obeys
the packet and forward via another interface, this way I will not have
to deal with NAT and the same the other way. But this is just my
hypothesis, Could it be possible or I am smoking marihuana ?
Thanks.
--
Nestor.Diaz.
On 08/21/2013 12:30 PM, Matty Sarro wrote:
> 1) An ethernet tap is your best bet to do this. They can be purchased
> to run at line speed (up to 1GBps, perhaps faster), and are made
> specifically to do what you want. You can attempt to make one on your
> own if you don't have a budget, but they rarely perform as well as a
> manufactured one.
>
> 2) A switch with a SPAN port may work as well. You can specify a port,
> and then duplicate all ethernet frames going into/out of that port on
> to another port, which is cabled to a box that is sniffing traffic.
>
> 3) If transparency and throughput aren't really that important, you
> can use a network hub. Because of how hubs function, all traffic is
> sent out all ports. You'd connect the sniffing box and be done. The
> downside is you will have lots of collissions, nothing will run at
> full duplex (no gigabit speeds).
>
> There are dedicated solutions for sucking in network traffic once you
> have a tap installed (namely snort, http://www.snort.org/).
>
[...]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Machine in the middle
2013-08-21 17:11 Machine in the middle Nestor A. Diaz
[not found] ` <CAHUGJcG9=wBzy256c2Rk1NMi8TSWp_DCUrqLoA5Tvo+3QgHYMA@mail.gmail.com>
@ 2013-08-24 9:43 ` Pascal Hambourg
1 sibling, 0 replies; 3+ messages in thread
From: Pascal Hambourg @ 2013-08-24 9:43 UTC (permalink / raw)
To: Nestor A. Diaz; +Cc: netfilter
Hello,
Nestor A. Diaz a écrit :
>
> According to your experience what would be the best strategy to
> intercept traffic from one machine to another and process some (not all)
> request in a transparent way.
>
> I explain, i have two machines:
>
> 192.168.1.1/24 <-> 192.168.1.2/24
>
> All I want to do is to intercept traffic from a specific port(s), i.e.
> 4000/tcp and process it in a 'machine in the middle'.
>
> 192.168.1.1/24 <-> machine-in-the-middle <-> 192.168.1.2/24
>
> The idea is that when 192.168.1.1 connects to 192.168.1.2:4000 then the
> machine in the middle will answer those requests, but the remaining
> traffic from 192.168.1.1 to 192.168.1.2 keep forwarding as is, and the
> same for the opposite direction.
Bridge with TPROXY, I guess.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-08-24 9:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-08-21 17:11 Machine in the middle Nestor A. Diaz
[not found] ` <CAHUGJcG9=wBzy256c2Rk1NMi8TSWp_DCUrqLoA5Tvo+3QgHYMA@mail.gmail.com>
2013-08-21 19:24 ` Nestor A. Diaz
2013-08-24 9:43 ` Pascal Hambourg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.