linux Bridge是内核支持的网桥设备,可以实现简单的交换机功能。现在的需求就是想监听云平台下,云主机所有的流量。我们用的是Bridge,没有使用vswitch这种功能强大的软件设备。通过查阅资料
http://backreference.org/2014/06/17/port-mirroring-with-linux-bridges/
http://superuser.com/questions/753294/mirror-port-via-iptables
http://askubuntu.com/questions/22562/copy-all-bridge-traffic-to-a-specific-interface
有以下几种方式:
iptables
利用iptables来,编辑
mangle table specific
-j ROUTE (explicitly route packets, valid at PREROUTING)
options:
--iface <iface_name>
--ifindex <iface_idx>
也可以直接输入命令。
iptables –I PREROUTING –t mangle –i eth0 –j TEE –gateway 192.168.200.1
iptables –I POSTROUTING –t mangle –j TEE –gateway 192.168.200.1
文档上的说明:
The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if
so desired.
--gateway ipaddr
Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
To forward all incoming traffic on eth0 to an Network Layer logging box:
-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1
目标是TEE,把数据包克隆到另外一个本地网络机器。但是需要注意到修改是的mangle表,到这一步的时候,数据包其实都已经做过snat dnat,显然已经不是云主机原来出来的包了。
tc工具
Daemonlogger
sudo daemonlogger -i <input_interface> -o <mirror_interface>
where the arguments are explained as
-i <interface> Set interface to grab data from to <interface>. -o <interface> Disable logging, instead mirror traffic from -i <interface> to -o <interface>.
这个就很简单了
小实验:
在bond0上抓包
tcpdump -i bond0 -n|grep 223.5.5.5 tcpdump: WARNING: bond0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:51:01.160065 IP 10.10.82.226 > 223.5.5.5: ICMP echo request, id 15978, seq 182, length 64 10:51:01.163128 IP 223.5.5.5 > 10.10.82.226: ICMP echo reply, id 15978, seq 182, length 64 10:51:02.161217 IP 10.10.82.226 > 223.5.5.5: ICMP echo request, id 15978, seq 183, length 64
在vnet0上抓包
[email protected]:~# tcpdump -i vnet0 -n|grep 223.5.5.5 tcpdump: WARNING: vnet0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vnet0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:31:42.458344 IP 192.168.138.14 > 223.5.5.5: ICMP echo request, id 30953, seq 1, length 64 17:31:42.461327 IP 223.5.5.5 > 192.168.138.14: ICMP echo reply, id 30953, seq 1, length 64
可以发现在bridge上vlnet0出来的包都是原生的!也就是没有经过iptables上网
特别需要注意的是为什么不是直接导出bond0上的流量,是因为我们在iptables上做了snat、dnat的规则,具体的参考前面的文章。正是因为有了snat、dnat这样原来的包已经发生了变化,也就无法更具src或者dest来监视相关的云主机的流量了。