Honeypots mailing list archives
Re: arpd and iptables
From: "Jeffrey B. Murphy" <jbmurphy () gmail com>
Date: Wed, 16 Mar 2005 16:15:43 -0500
Okay, so I changed my OUTPUT Rule to: iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT This caused the response to the ping to not make it back to the pinger (If that makes sence). But I don't understand why the pings/packets got by my INPUT default policy of DROP. The only two INPUT Rules I have are : iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Wouldn't that mean that traffic should never make it to the Honeypot? It stops it from getting to the "host" IP. why is it getting by to the honypot? A Couple of more questions inline: (Thanks for your help) On Mon, 14 Mar 2005 16:46:18 +0100, Stephan Riebach <riebach () iem uni-due de> wrote:
Hi Jeffrey,So my question is, if I am blocking all traffic with my iptables how come I can ping the honeypot (and get a reply back)?Not only that, you should also be able to establish TCP connections to your honeypot. A possible solution: Replace your OUTPUT rule with a stateful rule, for example "iptables - A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT". What happens? After checking the MAC address of eth0 any packet sent to the real IP or the honeypot IP "arrives" your INPUT chain. There your rule says: drop any packet that is not in state ESTABLISHED or RELATED and sent to IP of eth0 (because iptables is layer 3 filtering). But the packets are sent to the IP of the honeypot, so they pass your rule.
I think this is the answer to my question above, but I don't understand it. My rules do not state speciffically the IP of eth0 in :"drop any packet that is not in state ESTABLISHED or RELATED and sent to IP of eth0" Or do they? Does this mean that since I am using a match on state, it is therfore defaulting to the IP that is assigned to eth0? I am Confused. Thanks for your help.
Now your OUTPUT rule allows everything, which is simply an inversion of your command "IPTABLES -P OUTPUT DROP" with the result that you can establish connections to your honeypot. Regards, Stephan
Current thread:
- arpd and iptables Jeffrey B. Murphy (Mar 11)
- Re: arpd and iptables Stephan Riebach (Mar 14)
- Re: arpd and iptables Jeffrey B. Murphy (Mar 16)
- Re: arpd and iptables Stephan Riebach (Mar 14)