[olug] iptables fun

Vincent vraffensberger at home.com
Tue May 15 06:00:25 UTC 2001 

It's too quiet...  This should liven things up...

I believe I mentioned some iptables/ netfilter rules like "MIRROR" here
before, but I've finally gotten around to playing with it and thought I
would share...

I'll attach my config below.  Basically, I've simply made the default rule
"DROP", which is the equivelant to routing packets to the loopback.  I do
this instead of "REJECT" because it makes many programs hang.  ..very
annoying.  I also limit logging to prevent DOS.

That dosen't matter much though as I set everything to "MIRROR".  This
mangles incoming packets, swapping the source ip, port and MAC with the
destination and sending it back out.  So if someone is scanning you, thay
are actually scanning themselves.  If they are running telnet, they will
think you are as well.  When they try to login via telnet, they will only
connect to themselves.  I tested that one.  It's pretty cool.

Now I need to figure out why my sniffer dosen't get anything when this
happens and why this dosen't work for ftp...  Any ideas or thoughts to make
this any better than it is?
I just know there's someone out there who will think I'm running a ftp
server and will give me their password when they see their own ftp server's
banner and login prompt...

(word-wrap may make this look bad.  each line begins with either a "#" or
"iptables".)

# /etc/sysconfig/iptables
# setting default policy for input and forward to drop
iptables -P INPUT DROP
iptables -P FORWARD DROP

# clear input rules
iptables -F INPUT

# accept trusted interfaces and lan
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

# accept related packets to connections made locally
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# send ICMP packets back after a little mangling

# accept connections for ssh
iptables -A INPUT -p tcp -m multiport --destination-port 22 -j ACCEPT

# setup the NAT rules first
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source
24.3.227.221

# clear forward rules
iptables -F FORWARD

# accept related packets to connections made locally for NAT
iptables -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -m
state --state ESTABLISHED,RELATED -j ACCEPT

# accept trusted interface
iptables -A FORWARD -i eth1 -d 0.0.0.0/0 -j ACCEPT

# log unwanted traffic, don't flood the logfile
iptables -A FORWARD -m limit --limit 5/minute --limit-burst 5 -j
LOG --log-level warning --log-prefix "NetFilter: "

# Have some fun with the portscanners
#iptables -A INPUT -i eth0 -p tcp -j LOG -m limit --limit
1000/hour --limit-burst 1000 --log-prefix "MIRROR:"
#iptables -A INPUT -i eth0 -p tcp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p udp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p icmp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p tcp --tcp-option \! 2 -j MIRROR -m
limit --limit 1000/hour --limit-burst 1000
iptables -A INPUT -i eth0 -p all -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
iptables -A INPUT -i eth0 -p all -j LOG -m limit --limit
1000/hour --limit-burst 1000 --log-prefix "MIRROR:"


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list