Honeypots mailing list archives
Firewall Setup
From: Jermaine Crawford <faysspv () bellsouth net>
Date: Tue, 04 Mar 2003 11:57:44 -0500
Well, I think I have the whole single ip problem worked out. Thank you guys for the suggestions. I'm working to get the firewall rules worked out I think I have everything, but I need to know if I missed anything blatant. Any improvement suggestions would be appreciated. Wasn't totally sure about the limiting connections. Attached is the current setup.
#!/bin/bash IPT = "/sbin/iptables" INT = "ppp0" LAN_IFACE = "eth1" HNY_IFACE = "eth2" HNY_IP = "x.x.x.x" #Flushing all Rules $IPT -F $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD $IPT -F -t nat $IPT -X #Setting Default Policies $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT #Setting up forwarding echo 1 > proc/sys/net/ipv4/ip_forward $IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE $IPT -A FORWARD -i $INT -d HNY_IP -m state --state NEW, -j log --log-prefix Honeypot: #Redirecting specific ports to honeypot $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 21 -j DNAT --to $HNY_IP:21 $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to $HNY_IP:53 $IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to $HNY_IP:53 $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 23 -j DNAT --to $HNY_IP:23 $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 111 -j DNAT --to $HNY_IP:111 $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to $HNY_IP:25 $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 110 -j DNAT --to $HNY_IP:110 # Accepting the redirected ports on the input table $IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 21 -j ACCEPT $IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 23 -j ACCEPT $IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 25 -j ACCEPT $IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 53 -j ACCEPT $IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 110 -j ACCEPT $IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 111 -j ACCEPT $IPT -A INPUT -i $INT -d 0/0 -p udp --dport 53 -j ACCEPT # Accept connections from trusted interface # and local interface. $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -i eth1 -j ACCEPT # Drop icmp, but only after letting certain types through. $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPT -A INPUT -P icmp -j DROP # Setting some basic state-matching. Allows me # to accept related and established connections. $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Dropping windows netbios broadcasts. $IPT -A INPUT -p udp --sport 135:137 -j DROP #Creating some test tables to help with debugging #Remove after testing $IPT -N testinput $IPT -A testinput -m limit --limit 20/minute -j LOG --log-prefix testinput: $IPT -A testinput -j DROP $IPT -N testoutput $IPT -A testoutput -m limit --limit 20/minute -j LOG --log-prefix testoutput: $IPT -A testoutput -j DROP #Sending all traffic to debugging chains $IPT -A INPUT -j testinput $IPT -A OUTPUT -j testoutput #Logging connection and limiting from honeypot $IPT -A OUTPUT -s $HNY_IP -m state --state NEW -j LOG --log-prefix Honeypot: $IPT -A OUTPUT -i eth2 -m limit --limit 6/h -j LOG --log-prefix Honeypot: $IPT -A OUTPUT -I eth2 -m limit --limit 6/h --limit-burst 6 -j REJECT
Current thread:
- Firewall Setup Jermaine Crawford (Mar 04)