MyGNU.de
iptables MIRROR target
A while ago I wanted to make my iptables firewall a bit active. During my searches I found the iptables mirror target, which takes the packet sent to your machine and returns the same packet to the machine the packet came from. Thus, let’s say someone tries to scan your machine or tries an attack he would scan his own machine or even attack his own machine. Sadly the mirror target has been dropped somewhere around linux version 2.5 for security concerns. Somewhere in the web I found sources for a 2.5 kernel version and made them work with some 2.6.
I want to share this with the community now. So you can download the modified modules sources on www.mygnu.de. To build the module, boot the kernel version you want to use the module with, and unpack the archive. Afterwards run the compile.sh script and the install.sh script.
Now you may use the mirror target in place of the reject or drop target in the INPUT, FORWARD and PREROUTING chains, like this in your firewall script:
$IPTABLES -A INPUT -j MIRROR
Beware: The use of the mirror target may have strange results, i.e. if you want to connect to the iptables protected machine, you may end up connecting to the local machine without recognizing it. It also may use much bandwith. Worst case: if you have two machines using this module they may end up playing pingpong. So you have been warned, use with caution and at your own risk. For more information see: MIRROR target.
Downloads for the most recent kernel versions are below. Notice the version numbering 2.6.25 works for kernels up to 2.6.27. 2.6.28 also works for 2.6.29 and probably for future kernels. If you need a version for an older kernel, leave a comment. Then I can look if I have a module version archived for the kernel version you need.
| [download#12] [download#13] [download#14] [download#45] |
 |
Addon: The 2.6.28 version also works for 2.6.30 kernels.
These versions do not work with 2.6.31 kernels. See iptables mirror target for kernel version 2.6.31 or iptables mirror target for kernel version 2.6.35 for the newer ones.
regards
Jürgen
(No Ratings Yet)
Loading...
![[Valid RSS]](https://validator.w3.org/feed/images/valid-rss.png "Validate my RSS feed")
April 18th, 2009 at 10:48 pm
I have already seen it somethere…
April 19th, 2009 at 12:25 am
Of course you did… I never claimed it to be my work. As I wrote in the post, the mirror target was part of older iptables releases. I only made it work with newer kernels.
May 4th, 2009 at 7:35 pm
any updates coming ?
May 5th, 2009 at 8:25 am
What updates do you need? The last known working kernel for the mirror target is 2.6.29. 2.6.30 may work, I did not try, since 2.6.30 is not released yet, but chances are good…
May 5th, 2009 at 5:18 pm
hm. informative 🙂
May 20th, 2009 at 8:55 pm
Hello mithrandir,
Can your modification modify the ports too? I need that beyound the source to destination IP Address changing changes the source and destination ports, do the same with the udp/tcp ports than IP address.
Thanks
Renato
May 21st, 2009 at 2:21 am
Hallo Renato,
this should be possible. I think to achieve it, one has to extend the ip_rewrite function. Currently it only exchanges source and destination address. Now you’ll not only have to edit Network Layer, but also the Transport Layer of the packets to change the ports. You’ll have to modify the tcp header (skb->th ) for tcp packets and the udp header (skb->uh) for udp packets. Both have an attribute source and an attribute dest. These are the source and destination port.
You may try this:
—————————-
#include <linux/tcp.h>
#include <linux/udp.h>
…
u32 sport;
if (th != NULL){
sport=skb->th->source;
skb->th->source=skb->th->dest;
skb->th->dest=sport;
}
if (uh != NULL){
sport=skb->uh->source;
skb->uh->source=skb->uh->dest;
skb->uh->dest=sport;
}
—————————-
I have not tested this code, so it may crash your system or even not compile, but it should work somehow this way. What do you need this modification for? I can’t imagine any use case for it, since on the port we send the packet to, no process should be expecting the packet. In this case it will just be dropped.
regards
mithrandir
October 5th, 2009 at 12:16 am
[…] the iptables mirror target I published here does not work anymore with the 2.6.31 kernel. A newer version will be available soon on […]
October 9th, 2009 at 12:56 pm
[…] iptables mirror target I published here does not work anymore with kernel version 2.6.31. You can download the newer version for 2.6.31 and […]
June 12th, 2010 at 12:28 pm
It cann’t compile in 2.6.32.22 ubuntu server.
June 12th, 2010 at 1:39 pm
Which version of the mirror target did you try and what is the error you get?
December 3rd, 2010 at 5:06 pm
do you have a copy for kernel 2.6.9-89.0.29 ??
December 3rd, 2010 at 7:03 pm
[…] iptables mirror target I published here and here does not work anymore with kernel version 2.6.35. You can download the newer version for […]
December 3rd, 2010 at 7:06 pm
Hi Darryl,
the oldest I could find on my harddisk was for 2.6.13. I added it to the downloads. Just try it out. Maybe it works also for 2.6.9.
Cheers
Jürgen