Eric Leblond wrote:
On Sat, 2005-12-03 at 17:39 -0500, James Rhett Aultman wrote:
Dear Netfilter users,
Again, to explain the mechanism I need: when the
machine encounters a packet matching a rule, I want the machine to run a
specific program and drop the packet.
Is something like this possible using iptables or another netfilter project?
Yes, just use the QUEUE or NFQUEUE target. This send packet to userspace
and there you can do what you want. In your case, match and accept the
packets and then a match is done, do your job ....
If you need some code example, you can have a look at NuFW :
http://www.nufw.org/
By the way, you could also have a look at ulogd2 which brings some
features that may interest you :
http://svn.gnumonks.org/branches/ulog/ulogd2/
BR,
But actually the truth is that this a job for a IDS/IPS such as
Snort(.org), not netfilter.
A cite from: http://www.snort.org/docs/faq/1Q05/node91.html
" But one caveat... running external binaries can also be a performance
limiter and your should read the caution below...
CHRISTOPHER CRAMER wrote:
I'm sure this has been mentioned before in similar discussions, but
this feels like a _really_ bad idea. What if the bad guys realize
what is going on and make use of your blocking method as a DoS
attack. All one would have to do start sending a series of
triggering packets with spoofed IP addresses.
Since I am no longer interested in breaking into your site, but
rather making your life hell, I don't worry about the resulting data
getting back to me. All I have to do is start proceeding up a list
of IP addresses that I think you should no longer be able to talk
to. When you come in the next morning, you find that you can no
longer access the world.
Just my $0.02.
Danger Will Robinson: Conventional wisdom says that auto-blocking is
inherently dangerous."
Enjoy! :-)
Georgi Alexandrov
