Re: Bridging firewalls, honeynet.org rc.firewall, and UML honeypots

[Mike Tremoulet <coffeemike () gmail com>]

On Wed, 17 Nov 2004 15:54:14 +0100, no-ctrl <no-ctrl () hetnet nl> wrote:
> Hello,
>
> Unfortunately I run into the same sort of problems. I'm trying to run a UML honeypot on suse 9.1 in bridging mode. 
> But it doesn't work. I've looked at a couple of howto's, but they are not solving my problems. Can't even find out 
> how to check if my kernel supports iptables with a bridge or that I need ebtables?!
>
> At this moment i have the bridging at work both to and from the guest, but when I enable iptables, I can only get 
> into my UML. I would like to go through some logging of Iptables, but... euh. I cannot find it ( I used the 
> firewall.rc from the honeynet.org site)
>
> Can anybody show me a place were this setup is properly explained (with up to date info)?
>
> Regards,
>
> Luke

I've just about got all the bugs worked out now, and since I haven't
seen it written up, I'm putting together a whitepaper on the setup.

The 2.6 kernel supports bridging, so I didn't need to add ebtables on
the host.  However, the rc.firewall script looks at the input and
output logical devices.  What I had to do was change almost all of the
-i $iface parts of the rules into -m physdev --physdev-in $iface.  If
you just log every packet through the FORWARD chain, you'll see that
the logical in and out devices are both the bridge (br0), but the
physdev in and out devices are the actual interfaces.

I'll post to the list when I have a draft written.

Thanks,
-- Mike

-- 
just a Gnome of Zurich ... feeding tiny bits of information from all over...