-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 15 Nov 2006, Magnus Månsson wrote:
Hi, it seems like a couple of people have asked for this before but I havent
seen any answers.
I want iptables to get packages that do not belong to the machine, packages
that are directed to others but came to me due to promisc mode. I have found
a patch from November 2001 that seems to do what I want but after manually
trying to patch it in my userspace utils segfaults. I am not a programmer so
no surprise I didnt manage. The old patch is here:
http://idea.hosting.lv/a/iptables-promisc/
So, why do I want this? (maybe you can tell me that I should do it in another
way)
I am having a routing switch that is mirroring the internet traffic into 2
interfaces in a linux machine, this machine is for example running ntop to
look at what people are doing (that they shouldnt do). One of the things I/we
are interested to find out is if people uses peer to peer protocols like
Direct Connect / Bittorrent. My idea was to solve this with iptables layer7
filter (l7-filter.sourceforge.net), ulogd and mysql. But since I cant build
ULOG rules that catch the packages I am stuck.
The reason to choose iptables is that I can store all the information about
the protocols I am interested in. Ntop doesnt have the history that I want.
I am very thankful for whatever help/directions I can get.
As long as the firewall machine that runs iptables is the gateway from the
lan to the internet and vice versa, this is already happening, iptables
sees all the traffic in both directions, and can act on it was well, layer
4 and above. Nothing to add, no patch required. But, to have details in
the logs of what is passing requires that you build and configure your
rules properly, with log statements in your case being well defined and
covering a number of common protocol ports. One issue you will face is
that most of the traffic you are trying to monitor, is not well defined
nor restricted to any common ports, which is whyyou have faced issues in
preventing the traffic and even with a layer 7 module.
Plan on having at least one person devoted to nothing but monitoring
traffic and logs for sometime to get a handle on what your users are
abusing.
Of course common theory is that this kind of abuse is best handled at the
HR level, a frewall is not the best place to hadle this kind of policy
issue.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFW3Ttst+vzJSwZikRAqJzAKDVILcPhWyOSbHKYGhpUHEO63noPwCfXWu9
sjOHDE6m31Vg2OX4EyIP5UE=
=nVCS
-----END PGP SIGNATURE-----
