Re: active iptables update
On Wed, Feb 05, 2003 at 01:02:46PM -0800, Tom O'Toole wrote:
>On Mon, 3 Feb 2003, George Georgalis wrote:
>
>> I was thinking along these lines; forward malicious requests to some
>> ip on the 127.0.0.0/8 network where tcpdump would be listening ready
>> to trigger a script that inserts a new drop (or whatever) rule into
>> the iptables ruleset. I'm sure someone has worked out the details of a
>> function like this... Suggestions?
>
>Would a slight hack of xinetd might be a good place to start, modded
>to run your 'server' (script) on all ports at that ip?
That sounds a bit awkward. At this point I think I'll use
iptables ULOG and limit functions along with "LaBrea"
http://www.hackbusters.net/LaBrea/ and its logging facility to
dynamically maintain the iptables ruleset (like hogwash).
I've been planning to post a summary of responses...
But at the moment I have a more pressing problem, While the
bridge _is_ bridging, I can't catch _any_ of the packets with
any iptable mangle, input, output or forward tables... grr!
Crap. Now that I have my install image together and have
been struggling to make my bridge and iptables work together
I find this:
http://lartc.org/howto/lartc.bridging.html#LARTC.BRIDGING.IPTABLES
As of Linux 2.4.20, bridging and iptables do not 'see' each other
without help. If you bridge packets from eth0 to eth1, they do not
'pass' by iptables. This means that you cannot do filtering, or NAT or
mangling or whatever. In Linux 2.5.45 and higher, this is fixed.
how stable is 2.5.45? Err, I'm looking for production. Can I patch
2.4.20, should I use 2.4.19? Has anybody bookmarked relevant linux
kernel discussions? just now I couldn't find a relevant one.
I wonder if the problem applies to qdisc filters?
http://lartc.org/howto/lartc.qdisc.filters.html#LARTC.FILTERING.SIMPLE
9.6.2. All the filtering commands you will normally need
is there more complete doc for that somewhere?
Help!
// George
Here is my research for anyone using a non 2.4.20 kernel. Doh!
Basically what I'm doing is this...
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth2
ip link set lo up
ip link set br0 up
ip link set eth0 up
ip link set eth1 up
ip link set eth2 up
ip addr add 127.0.0.1/8 brd + label lo dev lo
L="LOG --log-level" # one of: debug, info, notice, warning, err, crit, alert, emerg
A="ACCEPT"
D="DROP"
i="iptables -P"
$i INPUT $D ; $i FORWARD $D ; $i OUTPUT $D
i="iptables"
$i -N IN_TCP
$i -N OUT_TCP
$i -N FORWARD_TCP
$i -I INPUT -p tcp -j IN_TCP
$i -I OUTPUT -p tcp -j OUT_TCP
$i -I FORWARD -p tcp -j FORWARD_TCP
$i -A IN_TCP -j $L notice
$i -A OUT_TCP -j $L notice
$i -A FORWARD_TCP -j $L notice
$i -t mangle -P PREROUTING $D
$i -t mangle -A PREROUTING -i eth0 -j $L emerg
$i -t mangle -A PREROUTING -i eth1 -j $L emerg
$i -t mangle -A PREROUTING -i eth2 -j $L emerg
$i -t mangle -A PREROUTING -i eth0 -j ACCEPT
$i -t mangle -A PREROUTING -i eth1 -j ACCEPT
$i -t mangle -A PREROUTING -i eth2 -j ACCEPT
$i -t mangle -A PREROUTING -j $A
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward
The box is bridging, I have a laptop connected via crossover
to eth1 and a patch to a LAN switch from eth2, the laptop
is doing an http transaction every 2 seconds, but nothing
ever shows up in the bridge logs.
I've been looking at these docs....
http://lartc.org/
Linux Advanced Routing & Traffic Control
http://lartc.org/howto/lartc.bridging.html
Building bridges, and pseudo-bridges with Proxy ARP
http://bridge.sourceforge.net/docs.html
http://bridge.sourceforge.net/docs/Firewalling for Free.pdf
Firewalling for Free, by Shawn Grimes.
http://www.sparkle-cc.co.uk/firewall/firewall.html
Implementing a Bridging Firewall By David Whitmarsh
http://www.pom.gr/ilisepe1/firewall_help.html#5
Transparent Firewall Bridging
http://plorf.net/linux-ip/html/ether-bridging.htm
Address Resolution Protocol and Bridging
--
GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229
Security Services, Web, Mail, mailto:george@galis.org
Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Reply to: