Duplicate packets/traffic using IPTables
Scenario:
Enpoint (Kubuntu) transmits traffic to Windows10 x64 (ICMP echo request & syslog) and that traffic must be duplicated and trasmit to another Windows 11Test machine for further analysis (IPS, Syslog,other).
Debian 13 Linux is router responsible for forwarding traffic and duplication.
IP schema
– LAN1: 192.168.88.1/24
– LAN2:10.10.90.1/24
– LAN3: 10.10.88.1/24
IP schema
– LAN1: 192.168.88.101/24
IP schema
– LAN1: 10.10.90.2/24
IP schema
– LAN1: 10.10.88.2/24
Configuration is quite simple on debian side that is we have to use “mangle” table to duplicate traffic (I omitted all network configuration part)
iptables -t mangle -A PREROUTING -d 10.10.90.2 -j TEE –gateway 10.10.88.2
or if someone prefers iptable-persistence package
Let’s generate some traffic on kubuntu
Verify mangle table if packets are passing router and they are duplicated
root@debR:/home/adrian# iptables -vL -t mangle
Verify traffic on Windows 10 (10.10.90.2)
Verify traffic on Windows 11(duplication) (10.10.88.2)
Duplicated traffic is seen on Windows11 with original destination (10.10.90.2)
Similar test can be performed for UDP syslog traffic
W10
W11
We can be more specific and duplicate not entire traffic but specific flow,eg. only syslog or only dns by being more detailed in iptable mangle rule
dzbanek
07.10.2025