I carry out the training task on networks. At one stage, the following should occur:

  1. A packet sent to computer # 3 from computer # 4 is sent to an address that is not represented on the network (for example, 123.123.123.123)
  2. on computer No. 3, the received packet is redirected to computers No. 1 and No. 2 (that is, it is necessary to duplicate and replace the destination address)

Tried to do as follows:

# дублируем все пакеты, предназначенные для 123.123.123.123, на компьютер №2 iptables -t mangle -A PREROUTING -d 123.123.123.123 -j TEE --gateway 6.6.1.1 # изменяем поле назначения непродублированных пакетов на адрес компьютера №1 iptables -t nat -A PREROUTING -d 123.123.123.123 -j DNAT --to-destination 6.6.0.1

To computer number 1 packages reach. Packets arrive (duplicated) and to computer # 2 - but their destination fields remain unchanged (123.123.123.123)

The problem is that I could not find a way to duplicate traffic with putting the correct fields (in particular the destination)

    1 answer 1

    So insert the DNAT before duplicating:

     # изменяем поле назначения непродублированных пакетов на адрес компьютера №2 iptables -t nat -A PREROUTING -d 123.123.123.123 -j DNAT --to-destination 6.6.1.1 # дублируем все пакеты, предназначенные для 123.123.123.123, на компьютер №2 iptables -t mangle -A PREROUTING -d 123.123.123.123 -j TEE --gateway 6.6.1.1 # изменяем поле назначения непродублированных пакетов на адрес компьютера №1 iptables -t nat -A PREROUTING -d 123.123.123.123 -j DNAT --to-destination 6.6.0.1
    • Thank. Indeed could guess. But now for some reason, the computer number 3 replaces the port of packets from the computer to which duplication was made, when sending them to the client (computer number 1). And on the computer number 3 there are no filters that could do this. All testing is done using netcat. Can you tell me what the problem might be? - 111
    • And this is most likely the fault of the contract. Add the notrack rule to the pre-routing or disconnect the contract - check, I'm not sure, but there seems to be nothing more - eri
    • Yes it helped. Thank you - 111
    • 1. Isn’t just one DNAT rule (first) applied? 2. Is traffic duplication using Mangle exactly applicable to different subnets (123.123.123.xxx & 6.6.6.y)? For example, my traffic is not duplicated (according to the pcap file) - Worker
    • @Worker maybe the answer is not accurate - eri