I am trying to run snort on my home network but I don't have a switch that will mirror a port. Instead I have an Asus RT-N16 with Tomato (dd-wrt) on it. After hours of searching the only solution I found was here: http://www.snort.org/assets/182/snort-opensuse-vbox-ddwrt.txt
Basically they said to create these two iptables rules:
iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.20 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.20 --tee
The problem is that --gw isn't a valid flag.
Then I need to create a script that will check to see if the rule exists. If it does, delete the rule. If it doesn't, create the rule.
Should I grep iptables -L -v -n --line-n or should I grep iptables-save?
What would the correct iptables syntax be to emulate a promiscuous port to 192.168.1.20?
How can I create the script that will turn on the iptables rules if they don't exsit, and delete them if they do?
Thanks,
Ryan
I did this a few months back on Tomato.
You need at least Tomato v1.24, which includes ipt_ROUTE. It is used to enable the -j ROUTE and --tee functionality.
and then add you iptables rules as you've mentioned above.