Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: arpd and iptables

From: "Stephan Riebach" <riebach () iem uni-due de>
Date: Mon, 14 Mar 2005 16:46:18 +0100
Hi Jeffrey,


So my question is, if I am blocking all traffic with my iptables how
come I can ping the honeypot (and get a reply back)?

Not only that, you should also be able to establish TCP connections to your
honeypot.

A possible solution: 
Replace your OUTPUT rule with a stateful rule, for example
"iptables - A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT".

What happens? After checking the MAC address of eth0 any packet sent to the
real IP or the honeypot IP "arrives" your INPUT chain. There your rule says:
drop any packet that is not in state ESTABLISHED or RELATED and sent to IP
of eth0 (because iptables is layer 3 filtering). But the packets are sent to
the IP of the honeypot, so they pass your rule. Now your OUTPUT rule allows
everything, which is simply an inversion of your command "IPTABLES -P OUTPUT
DROP" with the result that you can establish connections to your honeypot. 

Regards,
Stephan


-----Ursprüngliche Nachricht-----
Von: Jeffrey B. Murphy [mailto:jbmurphy () gmail com] 
Gesendet: Freitag, 11. März 2005 20:23
An: honeypots () securityfocus com
Betreff: arpd and iptables

I have honeyd using arpd on a fedora core 3 box.

I am confused. I some knowledge of iptables, but I could easily be
mixing something up. And this might be a bit of an iptables question,
but it is more of how arpd interacts with iptables so hopefully the
moderator will be kind. I have the following iptables rules:

#!/bin/bash

# Clear all Rules
iptables -F
iptables -X

# Set Default Policy to drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A OUTPUT  -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

My understanding is that this drops all traffic coming into the box.
and allows all traffic going out of the box (there is only eth0)

If I start arpd => arpd IPAddress
and then start honeyd => honeyd -d honeyd.conf -d

honeyd.conf = 
create sticky
set sticky personality "Microsoft Windows NT 4.0 SP3"
set sticky default tcp action tarpit open
set sticky default icmp action open
bind IPAddress sticky

(arpd IPAddress = bind IPAddress)
Previous By Date Next
Previous By Thread Next

Current thread: