Passing along and filtering raw packets in iptables
I have this task requested of me, and my iptables knowledge is kind of weak.
We have a POP router in area_a and area_b, both areas are several miles apart from one another. There is a Policy Server in area_b, and its purpose is to send instructions on where to distribute traffic across POPs depending on various formulas and rules (like an ICR). Currently, the only information it gets is from the router in area_b, because there is no way to physically connect it to the router in area_a. This makes the POP distribution only half-enabled.
So our network group wants to set up a connection from area_a to area_b, and the only way to do this physically is to set up a box in area_b, use a GRE tunnel from area_a to area_b, and forward the packets onto the packet monitor. But the problem is, they don't want to forward the packets of the GRE tunnel itself, only the packets from the router in area_a. The reason we can't just hookup up the packet monitor to the same connection the Linux box is connected to is the Linux box needs to terminate the GRE tunnel.
The networking people came to me to find out if there's a way to "mirror packets," but I don't think that's the correct term for what they need. "I want something like tcpdump eth0 > eth1, but without the GRE tunnel traffic itself. Is there a way to do this in IPTables?"
See diagram (53kb jpg)
Most of what I have done with iptables has been focused on a terminating end: blocking ports and so on. I have a few NAT rules for DHCP, but I set those up and forgot what I did a while back. What I am thinking is that the network team has to set ip_forwarding, and then somehow filter the GRE tunnel packets out, allowing data from the router in area_a pass through with nothing else attached. This seems basic, but networking says that they have been asking around and they are stumped, so it fell into my lap.
We have a POP router in area_a and area_b, both areas are several miles apart from one another. There is a Policy Server in area_b, and its purpose is to send instructions on where to distribute traffic across POPs depending on various formulas and rules (like an ICR). Currently, the only information it gets is from the router in area_b, because there is no way to physically connect it to the router in area_a. This makes the POP distribution only half-enabled.
So our network group wants to set up a connection from area_a to area_b, and the only way to do this physically is to set up a box in area_b, use a GRE tunnel from area_a to area_b, and forward the packets onto the packet monitor. But the problem is, they don't want to forward the packets of the GRE tunnel itself, only the packets from the router in area_a. The reason we can't just hookup up the packet monitor to the same connection the Linux box is connected to is the Linux box needs to terminate the GRE tunnel.
The networking people came to me to find out if there's a way to "mirror packets," but I don't think that's the correct term for what they need. "I want something like tcpdump eth0 > eth1, but without the GRE tunnel traffic itself. Is there a way to do this in IPTables?"
See diagram (53kb jpg)
Most of what I have done with iptables has been focused on a terminating end: blocking ports and so on. I have a few NAT rules for DHCP, but I set those up and forgot what I did a while back. What I am thinking is that the network team has to set ip_forwarding, and then somehow filter the GRE tunnel packets out, allowing data from the router in area_a pass through with nothing else attached. This seems basic, but networking says that they have been asking around and they are stumped, so it fell into my lap.
