Persianov on Security

Security research and investigations

Traffic mirroring setup on OpenWRT device

This simple tutorial describes how to configure traffic mirroring on your OpenWRT capable router (using iptables) and send it to Snort IDS. Having an IDS running in your local network sometimes can help find infected machines connected to it, LAN attacks which can lead to sessions hijacking, Man-in-the-middle attacks and other nasty things.

First of all you need an OpenWRT compatible router (see Official list) with a freshly installed distribution. In this tutorial I’m using a TP-Link TL-WR841ND with 14.07 Barrier Breaker (see screenshot below).

Traffic mirroring. Barrier Breaker 14.07

Use SSH to connect to your network device and install iptables-mod-tee package:

# Update the list of available packages
opkg update
# Check package availability
opkg list | grep "mod-tee"
# Install iptables-mod-tee package
opkg install iptables-mod-tee

# Check if package installed successfully
opkg list-installed | grep "mod-tee"

After the installation, you should have kmod-ipt-tee package installed automatically as dependency (see screenshot below):

Traffic mirroring. iptables-mod-tee installed successfully

Troubleshooting: A lot of tutorials do not mention the error you can get by trying to add an iptables rule, after the installation. Let’s try to run following command:

# Add rule to mangle table in POSTROUTING chain
iptables -t mangle -A POSTROUTING ! -s 192.168.1.0/24 -j TEE --gateway 192.168.1.120

Most of the time it will result in an error (see screenshot below).

Most common error

Because iptables-mod-tee is a kernel module it should be loaded before you are trying to get use of it. So, let’s try to load our newly installed module: xt_TEE.

modprobe xt_TEE

If it doesn’t work just reboot the device (run: reboot). Now we are ready to add iptables rules so the traffic mirroring will work like a charm.

As you probably know, there are 5 tables in iptables:

  1. NAT table – used for network address translation (e.g. port forwarding);
  2. ROW table – used for configuring packets so that they are exempt from connection tracking;
  3. FILTER table – is the default table and is where all actions, associated with the firewall, typically take place;
  4. SECURITY table – is used for Mandatory Access Control (SELinux gets use of it);
  5. MANGLE table – used for packets alteration actions (e.g. cloning);

The table we need is MANGLE. It permits to modify packets going through our router, or in our case, just to clone them. I used following two rules to implement traffic mirroring:

iptables -t mangle -A PREROUTING -d 192.168.1.0/24 -j TEE --gateway 192.168.1.120
iptables -t mangle -A POSTROUTING ! -s 192.168.1.0/24 -j TEE --gateway 192.168.1.120

Make sure you substitute 192.168.1.0/24 and 192.168.1.120 with correct network and host address, to which all traffic is mirrored. In my case, I have a separate Raspberry PI connected with 192.168.1.120 IP address, running Snort daemon on it.

That’s all folks, now you are able to get all your router’s traffic. Aloha 😉

12 Responses to Traffic mirroring setup on OpenWRT device

  1. Jeroen says:

    Just what i was looking for. Thx a lot dude.

  2. Sean says:

    Very minor typo in your ssh command example … “mode” vs “mod”:

    # Check package availability
    opkg list | grep “mode-tee”
    # Install iptables-mod-tee package
    opkg install iptables-mode-tee

    When that should be:

    # Check package availability
    opkg list | grep “mod-tee”
    # Install iptables-mod-tee package
    opkg install iptables-mod-tee
    Otherwise, great info. Thanks !!

  3. w4rdad says:

    Is is just me or is iptables-mod-tee not available anymore? i can’t find it :S

  4. David says:

    I’m just wondering, the ! before the -s filter inverts the filter, right?

    Aren’t you saying match every source except 192.168.1.0/24? The filter seems to still redirect every packet for me, so it’s probably right.. But how does the rule work? Why do you need to invert the filter

  5. Michel says:

    Hello, Sveatoslavm and thank you for sharing.

    I have a few questions:

    1. Why using PREROUTING for the network under observation as destination
    2. Why using POSTROUTING when the network is NOT the source
    3. Apart from the choice of POST vs PRE ROUTING, why using the “not”the network as source (should it not be the network as source to catch all traffic, in and out?)?

    Thanks for any explanation and I hope I have made myself clear enough.

    Rhanks again for the share.

  6. Sander says:

    Hello Sveat,

    Great and clear guide, but I still have a few questions. In my situation I have two OpenWRT routers, except one only functions as a dump access point. My routers are running om 192.168.1.1 (Main router) and 192.168.1.2 (Dump AP). The DHCP leases are from 192.168.1.50 until 192.168.1.100. I am also planning to run a Raspberry Pi with snort on 192.168.1.150.

    Does this means my rules should look like this:
    iptables -t mangle -A PREROUTING -d 192.168.1.0/100 -j TEE –gateway 192.168.1.150
    iptables -t mangle -A POSTROUTING ! -s 192.168.1.0/100 -j TEE –gateway 192.168.1.150

    With this I want to achieve to monitor all the traffic from WAN and LAN.

    Sander

    • Sveatoslav says:

      Hey Sander,

      Glad that you found this tutorial helpful! Where your DHCP is running? I assume it is on the AP and that all devices are connected only via that AP. I can think of several ways to achieve traffic mirroring in your situation. Let’s say the only 2 devices connected physically to the Main Router (192.168.1.1) are your AP (192.168.1.2) and Raspberry Pi (192.168.1.150), both with static IP reservation. Also, I assume that the DHCP server is running on the AP (giving IP addresses in 192.168.1.50-100 range).
      In this case, your AP and Raspberry PI should see each other on local network (try to ping one from another) and you have to configure traffic mirroring only on your AP.
      Something like:

      iptables -t mangle -A PREROUTING -d 192.168.1.0/24 -j TEE --gateway 192.168.1.150
      iptables -t mangle -A POSTROUTING ! -s 192.168.1.0/24 -j TEE --gateway 192.168.1.150

      In case you are planning to connect other devices directly to your Main Router and mirror traffic as well as APs traffic, then I would say you also need to add some iptables rules on 192.168.1.1 too.
      Something like this I think should work for you (didn’t test it tho):
      iptables -A PREROUTING -t mangle -i #interface_to_mirror_traffic_from# -j TEE --gateway 192.168.1.150
      iptables -A POSTROUTING -t mangle -o #interface_to_mirror_traffic_from# -j TEE --gateway 192.168.1.150

      Hopefully it helps 😉

      Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *