How to handle mirrored(duplicated) iptables traffic after TEE?
I have a question about mirrored with TEE option iptables traffic. The main goal is to copy all traffic for service on server A (port 1935) to same service running on server B on same port (port 1935). For example: If I start streaming video to 192.168.0.200:1935 - video should be be on both servers (on 192.168.0.201:1935 and on 192.168.0.200:1935). Google point me to iptables -TEE option. I try to use it on Ubuntu: SERV A -192.168.0.200 SERV B -192.168.0.201
On SERV A (192.168.0.200) I add mirroring for incoming traffic on port 1935:
root@ubuntu_200:~# iptables -t mangle -A PREROUTING -p tcp --dport 1935 -d 192.168.0.200 -j TEE --gateway 192.168.0.201
And I got all packages on SERV B (192.168.0.201) interface now.
root@ubuntu_201:~# tcpdump 'tcp port 1935'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:14:47.503241 IP 192.168.0.10.49984 > 192.168.0.200.1935: Flags [S], seq 3961116317, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:47.503258 IP 192.168.0.10.49985 > 192.168.0.200.1935: Flags [S], seq 1849647427, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:47.752702 IP 192.168.0.10.49986 > 192.168.0.200.1935: Flags [S], seq 3102326921, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:47.999309 IP 192.168.0.10.49984 > 192.168.0.200.1935: Flags [S], seq 3961116317, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:48.008983 IP 192.168.0.10.49985 > 192.168.0.200.1935: Flags [S], seq 1849647427, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:48.253066 IP 192.168.0.10.49986 > 192.168.0.200.1935: Flags [S], seq 3102326921, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:48.499660 IP 192.168.0.10.49984 > 192.168.0.200.1935: Flags [S], seq 3961116317, win 8192, options [mss 1460,nop,nop,sackOK], length 0
18:14:48.508964 IP 192.168.0.10.49985 > 192.168.0.200.1935: Flags [S], seq 1849647427, win 8192, options [mss 1460,nop,nop,sackOK], length 0
18:14:48.751863 IP 192.168.0.10.49986 > 192.168.0.200.1935: Flags [S], seq 3102326921, win 8192, options [mss 1460,nop,nop,sackOK], length 0
As you see I get all traffic on second server interface but with destination IP of SERV A (192.168.0.200). And now I need to route this traffic to my service on port 1935. I try to add rule on SERV B:
iptables -t nat -A PREROUTING -p tcp --dport 1935 -d 192.168.0.200 -j DNAT --to-destination 192.168.0.201:1935
Also try to Redirect and Forward - but didn't make it work properly... No video on SERV B port 1935.
Could somebody point me to the right direction?? As I mentioned earlier: I need to see video stream on both servers from port 1935. Publishing is only on SERV A, but video should be on both. Any suggestions will be pleased. Thank you.
Answer
I think it is impossible to do it this way.
It seems that you are using TEE for TCP traffic.
TCP is a stateful protocol (unlike UDP), it requires user end computer to be involved in every step of connection and it will not work with two separate clients trying to communicate with one server.
Some alternatives:
- Using UDP streaming instead (Of course, you'll have to change both server, client and iptable rule).
- Use some kind of TCP proxy which from one side accept the TCP video stream (or transparently intercept it) and from the other side open 2 (or more) different TCP sessions against multiple clients. Maybe this can help here: https://github.com/agnoster/duplicator