Is this a proper configuration for IPTables pre/postrouting mangle?
by jorjor242 from LinuxQuestions.org on (#6CYEY)
I have IPtables written to mirror traffic from a router running OpenWRT 19.07 to a VM running Suricata IDS:
iptables -t mangle -A PREROUTING -d 192.168.0.0/24 -j TEE --gateway 192.168.1.156
iptables -t mangle -A POSTROUTING ! -s 192.168.0.0/24 -j TEE --gateway 192.168.1.156
The VM is set to promiscuous mode. I am seeing traffic from other devices onto the VM in TCPDUMP but I am not getting Suricata to generate alerts based on network devices (curl -A "BlackSun" www.google.com) so I am wondering if the IPtables rules are wrong...
thanks!
iptables -t mangle -A PREROUTING -d 192.168.0.0/24 -j TEE --gateway 192.168.1.156
iptables -t mangle -A POSTROUTING ! -s 192.168.0.0/24 -j TEE --gateway 192.168.1.156
The VM is set to promiscuous mode. I am seeing traffic from other devices onto the VM in TCPDUMP but I am not getting Suricata to generate alerts based on network devices (curl -A "BlackSun" www.google.com) so I am wondering if the IPtables rules are wrong...
thanks!