The objective is to block of "bad traffic" with the Linux box running iptables rules not being inline (but able to see the relevant traffic off of a span port). Essentially achieve what fwsnort/iptables does for IPS (not just IDS), but without being inline. Logging the "bad traffic" is only incidental. Siva -----Original Message----- From: hareram [mailto:hareram@xxxxxxxxxx] Sent: Wednesday, April 25, 2007 6:56 PM To: Krishnamoorthy (Siva) Sivakumar Subject: Re: Iptables rule on span traffic Hi i got your explanation what is the object to achieve only port mirror traffic and log to Linux box? or you looking some IPS/IDS ? is the Linux box does only logging ? or you looking to route the traffic ? if you looking to statistics only to this box look at NTOP, will give you better than this. ram ----- Original Message ----- From: "Krishnamoorthy (Siva) Sivakumar" <ksivakumar@xxxxxxxxxxxxxxxx> To: "hareram" <hareram@xxxxxxxxxx> Sent: Thursday, April 26, 2007 3:35 AM Subject: RE: Iptables rule on span traffic The switch is a DELL powerconnect 2708 switch with 8 ports. Ports 1-4 are mirrored onto port 8 (where eth0 is connected). Port 1 is connected to a 10.0.3.10 machine. Ports 2, 4 are connected to two 10.0.4.* machines. Rest of the ports are unused. Here is a little ASCII art of the connections. --------------------------------- | | | eth0 (11.0.3.91) |<-------> Span port | | | Machine running IPtables | | | | eth1 (10.0.3.12) |<-------> Regular switch port | | | | --------------------------------- I enabled IP forwarding using: echo 1 > /proc/sys/net/ipv4/ip_forward Before doing that, I ran the following shell script to load the iptables rules. ####################### $IPTABLES -A FWSNORT_FORWARD -p tcp --dport 80 -m string --string ".txt" --algo bm -m comment --comment "msg: test; FWS:0.9.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000002 " $IPTABLES -A FWSNORT_FORWARD -p tcp --dport 80 -m string --string ".txt" --algo bm -j REJECT --reject-with tcp-reset $IPTABLES -A FWSNORT_INPUT -p tcp --dport 80 -m string --string ".txt" --algo bm -m comment --comment "msg: test; FWS:0.9.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000002 " $IPTABLES -A FWSNORT_INPUT -p tcp --dport 80 -m string --string ".txt" --algo bm -j REJECT --reject-with tcp-reset $IPTABLES -A FWSNORT_FORWARD -p all -j DROP ###################### I added the last rule at the end so that any packet forwarded from the span port and not caught (and rejected) by the earlier rules does not actually make it out of the other interface, causing an infinite loop. It still seems like the iptables rules have no effect on the traffic on eth0 (connected to span port) but only on eth1. There was no tcp reset sent in response to accessing a .txt file nor was there a corresponding a log entry when I checked using the dmesg command. For traffic directed at the machine on eth1, there was both a log and a tcp reset. Anyone have any ideas to try, please let me know. Siva -----Original Message----- From: hareram [mailto:hareram@xxxxxxxxxx] Sent: Monday, April 23, 2007 3:35 AM To: Krishnamoorthy (Siva) Sivakumar Subject: Re: Iptables rule on span traffic Its also need a proper config need at Cisco Switch Side kindly post your Switch config and how does the connections diagram, will be able to give you proper deployement ram ----- Original Message ----- From: "Krishnamoorthy (Siva) Sivakumar" <ksivakumar@xxxxxxxxxxxxxxxx> To: "Martijn Lievaart" <m@xxxxxxx> Cc: <netfilter@xxxxxxxxxxxxxxxxxxx>; "Pascal Hambourg" <pascal.mail@xxxxxxxxxxxxxxx> Sent: Monday, April 23, 2007 11:11 AM Subject: RE: Iptables rule on span traffic -----Original Message----- From: Martijn Lievaart [mailto:m@xxxxxxx] Sent: Sunday, April 22, 2007 10:25 PM To: Krishnamoorthy (Siva) Sivakumar Cc: Pascal Hambourg; netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Iptables rule on span traffic Krishnamoorthy (Siva) Sivakumar wrote: > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Pascal > Hambourg > Sent: Saturday, April 21, 2007 2:20 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Iptables rule on span traffic > > Hello, > > Krishnamoorthy (Siva) Sivakumar a écrit : > >> When I run this rule, and try to access a .txt file (with a web >> browser on a different machine) on the machine running the iptables, I >> get a log message and the file access is blocked. However, if I try to >> do the same but for a .txt file residing on a third machine (machine >> running iptables is able to see the related packets on its interface >> connected to the span port), I see no log or blocking. >> > > As Cédric said, packets which are not destined to the box do not go > through the INPUT chains. And since the box is not forwarding traffic, > these packets are dropped at the input routing decision stage and do not > go through the FORWARD chains either. > > [Siva:] > Then is it true that for iptables rules to be effective (fwsnort generated > or otherwise), the machine must be "inline". Is there no way to implement > iptables rules on "mirrored" traffic. > > Siva > > You could try to turn on forwarding and block all traffic that makes it through the snort rules. HTH, M4 [Siva:] Can you explain in more detail (sorry I am a novice)? How do you turn on forwarding? Does this require the iptables machine to be inline (in addition to a regular firewall/router that does the actual forwarding)? Thanks, Siva
