This option adds a `ROUTE’ target, which enables you to setup unusual

routes. For example, the ROUTE lets you route a received packet through

an interface or towards a host, even if the regular destination of the

packet is the router itself. The ROUTE target is also able to change the

incoming interface of a packet.

To copy (duplicate) all traffic from and to a local ECHO server to a second box (nonfinal target)

iptables -A PREROUTING -t mangle -p tcp –dport 7 -j ROUTE –gw 1.2.3.4 –tee

iptables -A POSTROUTING -t mangle -p tcp –sport 7 -j ROUTE –gw 1.2.3.4 –tee

Afin d’activer la cible route pour iptables il est nécéssaire de recompiler l’ensemble « noyau + iptables »

Nous allons donc préparer notre environnement de travail.

apt-get install linux-source-2.6.18 gcc make ncurses-dev
cd /usr/src
tar -xvjf linux-source-2.6.18.tar.bz2
ln -s linux-source-2.6.18 linux

On télécharge les sources d’iptables et on les décompresses

wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.6.tar.bz2

tar -xjpf iptables-1.3.6.tar.bz2

On peut maintenant télécharger le patch-o-matic :

wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070728.tar.bz2

tar xvjf patch-o-matic-ng-20070728.tar.bz2

cd patch-o-matic-ng-20070728

Nous devons spécifié le dossier des sources d’iptables

IPTABLES_DIR=/usr/src/iptables-1.3.6 ./runme ROUTE

Hey! KERNEL_DIR is not set.

Where is your kernel source directory? [/usr/src/linux]

Loading patchlet definitions…………….. done

Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel: 2.6.18, /usr/src/linux

Iptables: 1.3.6, /usr/src/iptables-1.3.6

Each patch is a new feature: many have minimal impact, some do not.

Almost every one has bugs, so don’t apply what you don’t need!

——————————————————-

Already applied:

Testing ROUTE… not applied

The ROUTE patch:

Author: Cédric de Launois <delaunois@info.ucl.ac.be>

Status: Experimental

This option adds a `ROUTE’ target, which enables you to setup unusual

routes. For example, the ROUTE lets you route a received packet through

an interface or towards a host, even if the regular destination of the

packet is the router itself. The ROUTE target is also able to change the

incoming interface of a packet.

The target can be or not a final target. It has to be used inside the

mangle table.

ROUTE target options:

–oif ifname Send the packet out using `ifname’ network interface.

–iif ifname Change the packet’s incoming interface to `ifname’.

–gw ip Route the packet via this gateway.

–continue Route the packet and continue traversing the rules.

–tee Route a copy of the packet, but continue traversing

the rules with the original packet, undisturbed.

Note that –iif, –continue, and –tee, are mutually exclusive.

Examples :

# To force all outgoing icmp packet to go through the eth1 interface

# (final target) :

iptables -A POSTROUTING -t mangle -p icmp -j ROUTE –oif eth1

# To tunnel outgoing http packets and continue traversing the rules :

iptables -A POSTROUTING -t mangle -p tcp –dport 80 -j ROUTE –oif tunl1 –continue

# To forward all ssh packets to gateway w.x.y.z, and continue traversing

# the rules :

iptables -A POSTROUTING -t mangle -p tcp –dport 22 -j ROUTE –gw w.x.y.z –continue

# To change the incoming network interface from eth0 to eth1 for all icmp

# packets (final target) :

iptables -A PREROUTING -t mangle -p icmp -i eth0 -j ROUTE –iif eth1

# To copy (duplicate) all traffic from and to a local ECHO server

# to a second box (nonfinal target)

iptables -A PREROUTING -t mangle -p tcp –dport 7 -j ROUTE –gw 1.2.3.4 –tee

iptables -A POSTROUTING -t mangle -p tcp –sport 7 -j ROUTE –gw 1.2.3.4 –tee

—————————————————————–

Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

Nous pouvons maintenant compiler le noyau

cd /usr/src/linux

make oldconfig

Quelques librairies sont rapidement indispensable ;o)

apt-get install kernel-package

Et c’est partie pour de la compilation

make-kpkg clean

make-kpkg –initrd kernel_image kernel_headers

make-kpkg –initrd kernel_image

Une fois la compilation effectué il faut installer et booter sur le noyau.

dpkg –i monnoyau.deb

Vérifiez votre /boot/grub/menu.lst afin de voir si votre nouveau noyau apparait.

Ensuite Reboot

Pour monitorer tout le trafic entrant vers une ip (Un IDS par exemple J) utiliser la règle iptables suivante :

iptables -A POSTROUTING -t mangle -p tcp –sport 7 -j ROUTE –gw 1.2.3.4 –tee

Nous verrons dans un prochain billet comment utiliser ce trafic avec un IDS.