Bower
January 23, 2024, 4:17pm
1
Hi all, I upgraded to the latest OpenWRT and I know IPTables has been deprecated. I had the following Iptables set up to mirror traffic to a local device running Suricata IDS. I was wondering if anyone had recommendations on how to convert these properly, do I do it in /etc/config/firewall? If so, are there are other NFtables rules to include to get all traffic from WAN and all local traffic mirrored to the device running the IDS?
iptables -t mangle -A PREROUTING -i eth0.2 -s 0/0 -j TEE --gateway 192.168.1.237
Duplicate:
Hey all,
Trying to get into using nftables with the latest OpenWrt version.
I had been mirroring traffic from my router with OpenWrt via iptables to a VM running Suricata in promiscuous mode with these rules:
iptables-translate -i eth0 -t mangle -A PREROUTING -s 0/0 -j TEE --gateway 192.168.1.156
iptables-translate -t mangle -A POSTROUTING -s 192.168.0.0/24 -j TEE --gateway 192.168.1.156
And I used the iptables-convertor to convert the rules to the following:
define wan = eth0
chain prerou…
(Found while searching - then realized it's the same poster.)
1 Like
iptables-translate and some re-jigging for the OpenWrt specifics got me to this, which should be pretty close:
add rule inet fw4 mangle_prerouting iifname "eth0.2" counter dup to 192.168.1.237
add rule inet fw4 mangle_postrouting ip saddr 192.168.1.0/24 counter dup to 192.168.1.237
You can put these in a .nft script and add an include to run it when the firewall restarts.
2 Likes
The rules are absolutely correct, but for some reason they cannot be added to a table of inet family.
root@MikroTik:~# nft add rule inet fw4 mangle_postrouting ip saddr 192.168.1.0/24 counter dup to 192.168.1.237
Error: unsupported family
add rule inet fw4 mangle_postrouting ip saddr 192.168.1.0/24 counter dup to 192.168.1.237
^^^^^^^^^^^^^^^^^^^^
The OP will have to create a separate (ip) table to make it work.
opkg update; opkg install kmod-nft-dup-inet
nft add table ip mirror
nft add chain ip mirror mangle_prerouting '{ type filter hook prerouting priority -150; }'
nft add rule mirror mangle_prerouting iifname "eth0.2" counter dup to 192.168.1.237
nft add chain ip mirror mangle_postrouting '{ type filter hook postrouting priority -150; }'
nft add rule mirror mangle_postrouting ip saddr 192.168.1.0/24 counter dup to 192.168.1.237
2 Likes
Bower
January 23, 2024, 6:20pm
5
So I add those all via those commands, I don't need to add this to /etc/config/firewall?
The config file doesn't accept the syntax for the command line. There's nothing to add.
Run the commands from the CLI first to verify that they do what you need.
mkdir -p /usr/share/nftables.d/ruleset-pre/
cat << "EOF" > /usr/share/nftables.d/ruleset-pre/1-mirror.nft
table ip mirror
flush table ip mirror
table ip mirror {
chain mangle_prerouting {
type filter hook prerouting priority -150; policy accept;
iifname "eth0.2" counter dup to 192.168.1.237
}
chain mangle_postrouting {
type filter hook postrouting priority -150; policy accept;
ip saddr 192.168.1.0/24 counter dup to 192.168.1.237
}
}
EOF
Bower
January 24, 2024, 3:13pm
8
should I do mangle_prerouting iifname "eth0.2" or for my broadcast IP/24? Just wondering because I have had issues getting all traffic properly mirrored in the past..