Honeypots mailing list archives
Re: arpd and iptables
From: "Stephan Riebach" <riebach () iem uni-due de>
Date: Mon, 14 Mar 2005 16:46:18 +0100
Hi Jeffrey,
So my question is, if I am blocking all traffic with my iptables how come I can ping the honeypot (and get a reply back)?
Not only that, you should also be able to establish TCP connections to your honeypot. A possible solution: Replace your OUTPUT rule with a stateful rule, for example "iptables - A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT". What happens? After checking the MAC address of eth0 any packet sent to the real IP or the honeypot IP "arrives" your INPUT chain. There your rule says: drop any packet that is not in state ESTABLISHED or RELATED and sent to IP of eth0 (because iptables is layer 3 filtering). But the packets are sent to the IP of the honeypot, so they pass your rule. Now your OUTPUT rule allows everything, which is simply an inversion of your command "IPTABLES -P OUTPUT DROP" with the result that you can establish connections to your honeypot. Regards, Stephan -----Ursprüngliche Nachricht----- Von: Jeffrey B. Murphy [mailto:jbmurphy () gmail com] Gesendet: Freitag, 11. März 2005 20:23 An: honeypots () securityfocus com Betreff: arpd and iptables I have honeyd using arpd on a fedora core 3 box. I am confused. I some knowledge of iptables, but I could easily be mixing something up. And this might be a bit of an iptables question, but it is more of how arpd interacts with iptables so hopefully the moderator will be kind. I have the following iptables rules: #!/bin/bash # Clear all Rules iptables -F iptables -X # Set Default Policy to drop everything iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A OUTPUT -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT My understanding is that this drops all traffic coming into the box. and allows all traffic going out of the box (there is only eth0) If I start arpd => arpd IPAddress and then start honeyd => honeyd -d honeyd.conf -d honeyd.conf = create sticky set sticky personality "Microsoft Windows NT 4.0 SP3" set sticky default tcp action tarpit open set sticky default icmp action open bind IPAddress sticky (arpd IPAddress = bind IPAddress)
Current thread:
- arpd and iptables Jeffrey B. Murphy (Mar 11)
- Re: arpd and iptables Stephan Riebach (Mar 14)
- Re: arpd and iptables Jeffrey B. Murphy (Mar 16)
- Re: arpd and iptables Stephan Riebach (Mar 14)