Hi, My goal is to send a copy of all incoming and outgoing traffic on one interface (or several) to an IDS machine/collector.
I'm using the TEE target in iptables to do so. This is the command I use: iptables -t mangle -I PREROUTING -i enp5s0.11 -j TEE --gateway 10.215.144.7 I can check that it's been applied: # iptables -t mangle -S | grep TEE -A PREROUTING -i enp5s0.11 -j TEE --gateway 10.215.144.7 Now, if I ping a host behind enp5s0.11 from the shorewall system, I can only see part of the duplicated ICMP traffic on the host with IP address 10.215.144.7. I only see ICMP reply packets. How can I include the requests too? I would also prefer to see the VLAN ID info. However, tcpdump -e vlan does not seem to show any vlan information on the "gateway". Finally, does shorewall "support" TEE in some way? Or port mirroring in any other way? I haven't found any relevant documentation regarding this topic, yet. Regards, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
