SBM Labs

Cyber Security Collaboration Project

Mirroring Network Traffic Using IPTables
10 Mar 2017

Sometimes you don't have access to network equipment in order to perform port mirroring. For example, Virtual Private Cloud (VPC). But you need to analyze network traffic for malicious activity. In this case you can use iptables in order to send copy of network traffic to monitoring host (for example, IDS)

Example of usage.

$ sudo iptables -A PREROUTING -t mangle -p tcp --dport SERVICE_PORT -j TEE --gateway IDS_IP_ADDRESS
$ sudo iptables -A POSTROUTING -t mangle -p tcp --sport SERVICE_PORT -j TEE --gateway IDS_IP_ADDRESS

Useful links.

A Deep Dive into Iptables and Netfilter Architecture

MySQL Network Traffic Analysis