Hard Crash With iptable Entries AC86U 384.8 alpha

[ColinTaylor]

Doesn't apply.

Yeah, I guessed that might be the case. You could try to load the module manually but it's a long shot:

modprobe xt_TEE

Otherwise you'll have to speak nicely to @RMerlin or @john9527 and see if they can include that module.

 

[GHammer]

modprobe: module xt_TEE not found in modules.dep

Well, you learn something new everyday I guess.
--tee is not equal to TEE
Hopefully this can get addressed so I can solve my issue.

Thanks for all the troubleshooting, I hardly ever have simple issues...

 

[john9527]

@GHammer
Can you verify the output of
iptables -V

 

[GHammer]

@GHammer
Can you verify the output of
iptables -V

iptables v1.4.15

 

[john9527]

Wanted to make sure I didn't miss something....Why ASUS didn't update iptables along with the new kernel, I don't know (the 2.6.36 kernel is using 1.4.14).

Not sure if adding TEE is going to work. I'm in the middle of some work on my fork right now, but will take a look later.

 

[GHammer]

I'm in the middle of some work on my fork right now, but will take a look later.

Thanks John

 

[ColinTaylor]

Wanted to make sure I didn't miss something....Why ASUS didn't update iptables along with the new kernel, I don't know (the 2.6.36 kernel is using 1.4.14).

Probably not relevant, but TEE is present on my Ubuntu box but that is running iptables v1.6.1.

 

[GHammer]

Probably not relevant, but TEE is present on my Ubuntu box but that is running iptables v1.6.1.

That's odd:

root@f:~# modprobe xt_TEE
root@f:~# iptables -V
iptables v1.6.1

 

[ColinTaylor]

That's odd:

What is?

 

[GHammer]

What is?

Oops, I read router instead of Ubuntu.

Closing all the terminals I have open...

 

[john9527]

@GHammer

Try the test5 build at the same location.
https://1drv.ms/f/s!Ainhp1nBLzMJghJlb7j1wnqac97q

I built TEE into the kernel, so no need to load any modules. Also, please verify that iptables-save is working correctly
iptables-save -t mangle

 

[GHammer]

@GHammer

Try the test5 build at the same location.
https://1drv.ms/f/s!Ainhp1nBLzMJghJlb7j1wnqac97q

I built TEE into the kernel, so no need to load any modules. Also, please verify that iptables-save is working correctly
iptables-save -t mangle

Thanks John.
I actually see traffic that has been mirrored to my desktop.
Here's the output of iptables-save:

admin@RT-AC86U-6828:/tmp/home/root# iptables-save -t mangle
# Generated by iptables-save v1.4.15 on Fri Nov  9 23:02:42 2018
*mangle
:PREROUTING ACCEPT [5614:807111]
:INPUT ACCEPT [3813:623631]
:FORWARD ACCEPT [1797:182888]
:OUTPUT ACCEPT [9019:1270012]
:POSTROUTING ACCEPT [10818:1453384]
-A PREROUTING -s 10.10.100.121/32 -j TEE --gateway 10.10.100.100
COMMIT
# Completed on Fri Nov  9 23:02:42 2018

As an aside, that entry seems to terminate traffic on my desktop, not mirror it.
At least the online services that the weather station feeds do not see traffic after enabling the TEE command.

iptables -t mangle -A PREROUTING -s 10.10.10
0.121 -j TEE --gateway 10.10.100.100

I'll try the statements I originally was using and see if I get a different result.

 

[GHammer]

Progress, the router no longeris unusable after I enter the iptables commands.
But the traffic seems to be rerouted to the target IP, not mirrored.
These are the only packets I receive on my desktop when I enter the iptables commands. Endless looking for DNS.

23:12:22.263031 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 3407+ A? rtupdate.wunderground.com. (43)
23:12:23.262934 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 20770+ A? rtupdate.wunderground.com. (43)
23:12:24.263022 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 41674+ A? api.ambientweather.net. (40)
23:12:25.263295 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 52540+ A? rtupdate.wunderground.com. (43)
23:12:25.263301 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 27642+ A? api.ambientweather.net. (40)
23:12:25.263420 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 63174+ A? api.weathercloud.net. (38)
23:12:26.262807 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 17361+ A? api.weathercloud.net. (38)
23:12:27.262797 IP 10.10.100.121.4096 > google-public-dns-a.google.com.domain: 29945+ A? api.ambientweather.net. (40)
23:12:27.381554 IP 10.10.100.121.4096 > one.one.one.one.domain: 11279+ A? rtupdate.wunderground.com. (43)

These are the iptables commands I used:

iptables -t mangle -A PREROUTING -s 10.10.100.121 -j TEE --gateway 10.10.100.100
iptables -t mangle -A POSTROUTING -d 10.10.100.121 -j TEE --gateway 10.10.100.100

I first used only the PREROUTING, then when added the POSTROUTING.
No difference.

I'm calling it a day and will be back tomorrow.

 

[Jack Yaz]

Late to the party, but what is the objective here? To monitor all packets sent by the device while still allowing them to reach their intended destination?

 

[GHammer]

Late to the party, but what is the objective here? To monitor all packets sent by the device while still allowing them to reach their intended destination?

That is indeed the goal. Ideally changing the port as well but currently just to work.

 

[Jack Yaz]

That is indeed the goal. Ideally changing the port as well but currently just to work.

I'm probably missing something, but why not -j LOG the packets, and then use a script to scrape them from syslog to somewhere else?

 

[GHammer]

I'm probably missing something, but why not -j LOG the packets, and then use a script to scrape them from syslog to somewhere else?

The packets are used by a program that listens not read.

 

[ColinTaylor]

I'm probably missing something, but why not -j LOG the packets, and then use a script to scrape them from syslog to somewhere else?

The objective is not just to monitor the traffic but the capture all the data. LOG can't do that.

 

[Jack Yaz]

The objective is not just to monitor the traffic but the capture all the data. LOG can't do that.

gotcha

 

[GHammer]

Well, let's see if we can finish this off at last.
So, to recap, I want to get the traffic from .121 to appear at .115
In a test from one desktop (.6) to my desktop (.100) it works fine. The source desktop can browse and such with no problem while my desktop gets a copy of all the traffic.

iptables -t mangle -A PREROUTING -s 10.10.100.6 -j TEE --gateway 10.10.100.100
iptables -t mangle -A POSTROUTING -d 10.10.100.6 -j TEE --gateway 10.10.100.100

Herein lies the problem. I need to change ports on the .121 traffic from 80 and 443 because there is an Apache server running on .115. Let's say I wanted to have it be 8000 and 4430.

I have a feeling that more iptables entries will be needed, but what?

P.S. @john9527 The TEE is only in your test load not available in RMerlin's 8_2

iptables -t mangle -A PREROUTING -s 10.10.10 0.6 -j TEE --gateway 10.10.100.100
iptables: No chain/target/match by that name.