On 10/22/2010 09:36 AM, Changli Gao wrote:
On Fri, Oct 22, 2010 at 9:24 PM, Changli Gao<xiaosuo@xxxxxxxxx> wrote:
On Fri, Oct 22, 2010 at 8:31 PM, Stephen Clark<sclark46@xxxxxxxxxxxxx> wrote:
Hello,
Problem:
I have a two monitoring servers behind a a linux firewall, one is primary
and one is backup.
In the field we have units sending udp informational packet to the primary
server. On the
linux firewall I would like to copy this packet and change the destination
address of the copied
packet to point to the backup server. Is there a way to do this without
writing any code?
NOTE:
Currently the firewall is FreeBSD and we accomplish this rather easily using
ipfw along with natd, but we want to move to linux for our firewall.
I think you can use tc action mirred to mirror the packets to a fake
NIC device ifb, and use tc action nat to dnat the packets received
from ifb.
Oh, iptables can also do it. Please see iptables target TEE and RAWNAT
in xtables-addons. http://xtables-addons.sourceforge.net/
In testing this it looks like, to me anyhow, that the cloned packet gets
sent to the new gw with the original destination address, so now the
destination address has to get fixed up on the gw, this seems pretty
kludgy to me. Why can't the cloned packet simply have its destination
address replaced with the new destination address? This seems to me
like it would make a lot more sense, instead of having to make changes to
the packet on two different systems.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html