-----Original Message----- From: Martijn Lievaart [mailto:m@xxxxxxx] Sent: Sunday, April 22, 2007 10:25 PM To: Krishnamoorthy (Siva) Sivakumar Cc: Pascal Hambourg; netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Iptables rule on span traffic Krishnamoorthy (Siva) Sivakumar wrote: > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Pascal Hambourg > Sent: Saturday, April 21, 2007 2:20 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Iptables rule on span traffic > > Hello, > > Krishnamoorthy (Siva) Sivakumar a écrit : > >> When I run this rule, and try to access a .txt file (with a web >> browser on a different machine) on the machine running the iptables, I >> get a log message and the file access is blocked. However, if I try to >> do the same but for a .txt file residing on a third machine (machine >> running iptables is able to see the related packets on its interface >> connected to the span port), I see no log or blocking. >> > > As Cédric said, packets which are not destined to the box do not go > through the INPUT chains. And since the box is not forwarding traffic, > these packets are dropped at the input routing decision stage and do not > go through the FORWARD chains either. > > [Siva:] > Then is it true that for iptables rules to be effective (fwsnort generated or otherwise), the machine must be "inline". Is there no way to implement iptables rules on "mirrored" traffic. > > Siva > > You could try to turn on forwarding and block all traffic that makes it through the snort rules. HTH, M4 [Siva:] Can you explain in more detail (sorry I am a novice)? How do you turn on forwarding? Does this require the iptables machine to be inline (in addition to a regular firewall/router that does the actual forwarding)? Thanks, Siva
