Running IMSpector on a Different Computer than your Gateway/Proxy Disclaimer: I would look closely at these suggestions I am going to give and make sure they will work for your network before implementing them. I have not tested this. I am curious to hear your results, however. So, you want to have the gateway and the Imspector machine be different computers? Imspector needs to know the destination IP address and port in order to figure out what sort of IM packet it is dealing with. Usually, with the iptables REDIRECT rule, this is not a problem, since Imspector can still get that information when the packet is redirected to the localhost. However, if you want to have the Imspector server and the gateway/router be a different machine, you'll have to implement some changes. In the following examples, 192.168.5.2 is the gateway of your LAN and 192.168.5.3 is the Imspector server. We also only go over port 1863 (the MSN protocol port), but the same idea can apply to any port. On the gateway (192.168.5.2), you'll need a iptables rule that looks something like the following: *nat -A PREROUTING -i eth0 -p tcp -s ! 192.168.5.3 --dport 1863 -j MARK --set-mark 3 This takes (almost) any packet coming into eth0 that is directed to a destination port of 1863 and just puts a mark on it (in this example, a mark of 3). This happens before the gateway does any routing (thus it's the PREROUTING chain). I'll explain the source exception later. Now that we've done that, we're going to make the gateway route these packets in a special manner. You can type these into the command line, but they'll be forgotten with a reboot. You'll have to put them into something like an /etc/rc.local in order to execute them when the computer turns on. ip route add default via 192.168.5.3 dev eth0 table 3 ip route add 192.168.0.0/24 dev eth0 scope link src 192.168.5.2 table 3 ip rule add fwmark 3 table 3 priority 300 I can't really get into all the IP routing details because that can fill entire books. However, this is basically what those three lines do. First, we start adding routing entries to table 3. I chose table 3 arbitrarily, just to match my iptables mark of 3. Anyway, the first rule just says: if you don't know what else to do with a packet, the default is to forward it on to 192.168.5.3 out of eth0. [Side note: Remember that this is table 3... so you aren't messing with your "main" table, which is table 254. You may want to try "ip route show table 3" and "ip route show table 254"] Okay, the next line is saying, if I have a packet that is destined for 192.168.0.0/24, then send it out eth0 -- not via any gateway (it's your local subnet). We put this rule in there in case your clients want to connect to a computer in your local subnet, but they happen to be connecting to port 1863. Rather than sending it to the Imspector machine, the gateway helps them find their way back to the right computer. [A good client would probably not send it to the gateway anyway, unless its subnet mask was set incorrectly.] The ip rule line says: if I get a packet that is marked by the firewall (iptables) with a 3, send it to table 3. This rule has a priority of 300. [Lower numbered rules get executed first. You just want this to be before rule 32766 which is the rule that says to use the "main" table. See "ip rule show".] Now, the gateway routing tables will take all the packets destined for port 1863 and send them over to the Imspector machine. This means they go through the filter FORWARD chain of iptables before they leave the gateway. So you'll need to allow packets to be forwarded, possibly with a rule like this: *filter -A FORWARD -i eth0 -o eth0 -p tcp --dport 1863 -j ACCEPT The packets initially came in on eth0, and they will be leaving on eth0 as well. The destination port should still match 1863. If this is the case, go ahead and forward the packet. So now the setup on the gateway machine is done. It gets packets and routes them to the Imspector machine. Because it is routing, the source and destination IP and port stay the same. It just rewrites the destination MAC address (layer 2) and sends it to the Imspector machine. Now, on the Imspector server, you'll need the basic rules as described in the documentation: *nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j REDIRECT --to-port 16667 Set up Imspector listen on port 16667. It'll get the REDIRECTed packet, but still be able to see the original source IP, destination IP, and respective ports. It'll send them on to after doing its thing. Chances are that it uses the same gateway as the client machines. That's why we had the exception in the very first iptables rule to tell it not to MARK packets from the Imspector IP. It needs to be able to get out to the outside world. I know this is long and you may think we're done, but we've actually only considered half of the picture -- packets going out. What happens when a packet comes back in? Will it go straight to the client, or will it somehow get the Imspector server? Well, as far as I can tell, the way Imspector works is that it will actually open up a new port from itself and send the packet on to its destination. This means that the gateway and any NAT devices along the way will actually return the packet back to the Imspector server, which will send it back to the client. So everything should work, right? Well, yes. I just wanted to point out that with routing, you've always got to consider both incoming and outgoing separately or chances are you'll miss something. Note that the packets coming back to the Imspector server will get relayed directly to the client machine -- I mean, they don't go back through the gateway again because the Imspector machine is going to realize that it can talk directly to the clients. (This assumes that the Imspector machine is on the same subnet as the clients.) Okay, we're done. This was probably entirely too long, but I just figured I'd explain everything that was happening instead of just saying what to do. ------ I hope this helps someone. Let me know if there are errors above. -W Gillespie (wgillespie, es2eng.com) Last updated: 9/18/2008