The thing is, the machine running the iptables is not really a firewall nor is it "inline". It is simple sitting on the network and sees the traffic mirrored to it from a span port. So it nominally does not forward any packets. Here is a sample shell script that fwsnort generates (for a simple rule to block .txt files through port 80 --- just testing, not a meaningful rule). ############################################ $IPTABLES -A FWSNORT_FORWARD -p tcp --dport 80 -m string --string ".txt" --algo bm -m comment --comment "msg: test; FWS: 0.9.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000002 " $IPTABLES -A FWSNORT_FORWARD -p tcp --dport 80 -m string --string ".txt" --algo bm -j REJECT --reject-with tcp-reset $IPTABLES -A FWSNORT_INPUT -p tcp --dport 80 -m string --string ".txt" --algo bm -m comment --comment "msg: test; FWS:0. 9.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000002 " $IPTABLES -A FWSNORT_INPUT -p tcp --dport 80 -m string --string ".txt" --algo bm -j REJECT --reject-with tcp-reset ### ############ Jump traffic to the fwsnort chains. ############ ### $IPTABLES -I FORWARD 1 -i ! lo -j FWSNORT_FORWARD $IPTABLES -I INPUT 1 -i ! lo -j FWSNORT_INPUT $IPTABLES -I OUTPUT 1 -o ! lo -j FWSNORT_OUTPUT ########################################### When I run this rule, and try to access a .txt file (with a web browser on a different machine) on the machine running the iptables, I get a log message and the file access is blocked. However, if I try to do the same but for a .txt file residing on a third machine (machine running iptables is able to see the related packets on its interface connected to the span port), I see no log or blocking. Thanks, Siva -----Original Message----- From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] Sent: Saturday, April 21, 2007 9:24 AM To: Krishnamoorthy (Siva) Sivakumar Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Iptables rule on span traffic Le vendredi 20 avril 2007 à 12:13 -0700, Krishnamoorthy (Siva) Sivakumar a écrit : > Anyone have any idea what I need to do to have iptables rule to act on > SPAN traffic. Tcpdump on eth1 does show traffic that the loaded > iptables rules should catch. Am I missing something in the way I have > set things up? Check the chain where your rules are created. Like FORWARD or INPUT. And if it eventualy fits your needs: . INPUT for traffic destined to your machine . FORWARD for traffic it should route -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
