Hard Crash With iptable Entries AC86U 384.8 alpha

[ColinTaylor]

Yes, no problem. But I've not tried using it from a startup script, only by typing them into the command line.

 

[GHammer]

Yes, no problem. But I've not tried using it from a startup script, only by typing them into the command line.

My 86U becomes unusable (can't get response from SSH terminal, GUI, no device can reach anything) within minutes of manually putting these in.

So, let me think out loud.
.115 is a linux box running an AP (different network), weewx (doesn't use 80 or 443), mosquitto (different ports), and Apache of course on 80 & 443.
My router sends port 80 & 443, among others, to .115 both IPV4 and IPV6. I did those from the router's GUI.

I wonder if it is not happy with taking the port 80 traffic from the weather station and sending it to .115

 

[ColinTaylor]

.115 is a linux box running an AP (different network), weewx (doesn't use 80 or 443), mosquitto (different ports), and Apache of course on 80 & 443.

I don't know what you mean by "AP (different network)". I'm guessing it has a second NIC on a different subnet? I can't think that would be a problem unless you've got some messed up routing between subnets. Other than that the Linux box is nothing unusual.

My router sends port 80 & 443, among others, to .115 both IPV4 and IPV6. I did those from the router's GUI.

I wonder if it is not happy with taking the port 80 traffic from the weather station and sending it to .115

I assume you're talking about port forwarding in the router's GUI. That shouldn't be a problem. Unless of course there's a bug in the firmware.

What iptables commands are you using? Are you still using these? In that post it looks like you have the IP addresses the wrong way around. What is the IP address of the machine who's traffic you are intercepting and what is the IP address of the machine that is doing the monitoring?

 

[GHammer]

What I meant by the AP on a different network is that I have a USB WiFi adapter serving as an access point to provide a separate network for the weather station as I was never able to get the router to do the mirroring.
So, the address of the device I want to sniff is .121 the device doing the sniffing is .115

pcap_filter = src 10.10.100.121 and dst port 80

That is what gets the data into weewx.

iptables -t mangle -A PREROUTING  -s 10.10.100.121 -j ROUTE --tee --gw 10.10.100.115
iptables -t mangle -A POSTROUTING -d 10.10.100.121 -j ROUTE --tee --gw 10.10.100.115

Those are the iptable commands I use.

I don't wish to have the port 80 traffic pass only to the .115 address, it should proceed to its destination while being mirrored to .115

 

[ColinTaylor]

iptables -t mangle -A PREROUTING  -s 10.10.100.121 -j ROUTE --tee --gw 10.10.100.115
iptables -t mangle -A POSTROUTING -d 10.10.100.121 -j ROUTE --tee --gw 10.10.100.115

Those are the iptable commands I use.

I don't wish to have the port 80 traffic pass only to the .115 address, it should proceed to its destination while being mirrored to .115

OK. Those commands look correct then.

What I meant by the AP on a different network is that I have a USB WiFi adapter serving as an access point to provide a separate network for the weather station as I was never able to get the router to do the mirroring.
So, the address of the device I want to sniff is .121 the device doing the sniffing is .115

pcap_filter = src 10.10.100.121 and dst port 80

That is what gets the data into weewx.

Are you saying that 10.10.100.115 and 10.10.100.121 are two network interfaces on the same physical box, i.e. multihomed? That could cause you problems if you haven't set the kernel networking parameters correctly.

 

[GHammer]

OK. Those commands look correct then.

Are you saying that 10.10.100.115 and 10.10.100.121 are two network interfaces on the same physical box, i.e. multihomed? That could cause you problems if you haven't set the kernel networking parameters correctly.

No. That's how I wish it to work.
Currently it is configured differently as the router refuses to mirror the traffic.

 

[ColinTaylor]

No. That's how I wish it to work.
Currently it is configured differently as the router refuses to mirror the traffic.

So how is it configured now?

 

[GHammer]

So how is it configured now?

Linux has 10.10.100.115 and uses hostapd to provide an AP for the weather station.

AP has 10.10.0.1

dnsmasq provides DHCP for the AP which allows the weather station to be assigned a static IP so I can sniff the traffic.

Then enable ipv4 forwarding.
iptables and iptables-persistent to allow the traffic from the AP to the LAN that is controlled by the router.

It would be much simpler if the router would mirror the traffic.

 

[ColinTaylor]

So where (and what) is 10.10.100.121 in this setup?

 

[GHammer]

So where (and what) is 10.10.100.121 in this setup?

If the router mirrored traffic it would be the weather station

 

[ColinTaylor]

What port forwarding rules and/or static routes have you created on the router?

 

[GHammer]

Ports 80 and 443 to .115 all sources

 

[ColinTaylor]

Sorry, I'm having a really hard time trying to visualise the traffic flow here. As I understand it:

1. There is some sort of networked weather station device which has IP 10.10.100.121 or 10.10.0.x depending on how you've set everything up.

2. There's various services running on Linux at 10.10.100.115 which
a) is accessible from the internet on ports 80 and 443
b) the weather station communicates with is some way.

So..... if you put the weather station back on 10.10.100.121 why are you mirroring it's traffic to 10.10.100.115 which presumably it's talking to already?

What am I missing here?

 

[GHammer]

The weather station only sends traffic to a few internet sites. It is not configurable. It does not interface with anything locally. If, like me, you wish to have the data, you find a way to capture it.

The real issue here is that the router will not mirror traffic.

 

[ColinTaylor]

I suggest that you try just using this one command as an experiment:

iptables -t mangle -A PREROUTING -s 10.10.100.121 -j ROUTE --tee --gw 10.10.100.222

Where 10.10.100.222 is the address of some other PC on your LAN. If you don't have the problem with the router that you had before trying adding a second command:

iptables -t mangle -A POSTROUTING -d 10.10.100.121 -j ROUTE --tee --gw 10.10.100.222

If it still works we have narrowed down the problem.

 

[GHammer]

Good idea, I’ll send the traffic to my desktop. Nothing running or forwarded to it.

 

[GHammer]

No issues, but there's is no traffic coming from .121 as it is not configured as .121
It's a fairly time consuming process to get it on a different IP.

This would fail almost immediately just by entering the iptables commands if I use .115 as the target

Off to swing the weather station to .121 to see if traffic makes a difference.
Meantime, if this is heading the direction I think, I can have the process that sniffs the data look at any port. Is it possible to send the data to a different port while mirroring the traffic? DNAT perhaps?

 

[GHammer]

Sending traffic from .121 caused the router to fail.
Nov 9 12:11:44 kernel: Call trace:

I have the log saved and have restarted the router to get rid of the iptables entries.

 

[ColinTaylor]

Reading more about ROUTE at places like this it seems that it's a depreciated unofficial extension. As your router has a much newer kernel than mine it's quite possible that that extension is simply not compatible any more.

It appears that there is an official alternative built into the later iptables called TEE. So try this command and see if it accepts it:

iptables -t mangle -A PREROUTING -s 10.10.100.121 -j TEE --gateway 10.10.100.222

http://ipset.netfilter.org/iptables-extensions.man.html#lbDW

 

[GHammer]

So try this command and see if it accepts it:

Doesn't apply.

admin@RT-AC86U-6828:/tmp/home/root# iptables -t mangle -A PREROUTING -s 10.10.10
0.121 -j TEE --gateway 10.10.100.100
iptables: No chain/target/match by that name.