Hi everyone, please I need your help, I'm new at using Linux and iptables I'm doing a simulation such as "honeypots" to protect web and mail servers, my project looks so, ans it is composed: A web and mail server host on Centos5 (IP 192.168.22.21), it has no problem; A 2nd host Debian 4.0 where I run a web and mail server on UML(tap0 192.168.0.20) with fedora7 filesystem (ip 192.168.0.30) without problem, a NIC (IP 192.168.22.22) to connect Centos5server), finally another NIC (IP 192.168.240.22) to simulate attacks on web mail sever on UML honeypot. Project Honeynet suggests a control data with IPTABLES, my firewall is going to be Debian4.0 host to protect Centos5 server, as well as UML honeypot, but I've not been able to set iptables, I used Oskar Andreasson guide translated into spanish (because I'm ecuadorian if someone knows spanish I would thank), and used the next script, which is adjusted my Project: ############################################# #!/bin/sh # 1. Opciones de Configuración. # iptables -F iptables -X iptables -Z # # 1.1 Configuración de Internet. # INET_IP="192.168.240.0/24" INET_IFACE="eth0" # # 1.2 Configuración de la Red Honeypot # HON_MAIL_IP="192.168.0.30" HON_HTTP_IP="192.168.0.30" HON_DNS_IP="192.168.0.20" HON_IP="192.168.0.20" HON_IFACE="tap0" # # 1.3 Configuración DMZ. SERVIDORES # ser_MAIL_IP="192.168.22.21" ser_HTTP_IP="192.168.22.21" ser_DNS_IP="192.168.22.21" ser_IP="192.168.22.22" ser_IFACE="eth1" # # 1.4 Configuración del host local. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 Configuración de IPTables. # IPTABLES="/sbin/iptables" # # 2. Carga de módulos. # # # Necesario para la carga inicial de módulos. # /sbin/depmod -a # # 2.1 Módulos requeridos. # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Módulos no-requeridos. # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc ########################################################################### # # 3. Configuración de /proc. # # # 3.1 Configuración requerida de proc. # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Configuración no-requerida de proc. # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. Configuración de las reglas. # ###### # 4.1 Tabla Filter. # # 4.1.1 Establecimiento de políticas. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD ACCEPT # # 4.1.2 Creación de cadenas de usuario. # # Creación de una cadena para paquetes TCP incorrectos. # $IPTABLES -N bad_tcp_packets ##################### # # Creación de cadenas separadas para los paquetes ICMP, TCP y UDP. # $IPTABLES -N allowed $IPTABLES -N icmp_packets # # 4.1.3 Creación de contenido en las cadenas de usuario. # # # Cadena bad_tcp_packets. # $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-level DEBUG --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # Cadena de "permitidos". # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # Reglas ICMP. # # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.1.4 Cadena INPUT. # # Paquetes TCP incorrectos que no deseamos. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Paquetes desde Internet hacia este equipo. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Paquetes desde la red local (LAN), DMZ o el host local. ############# # $IPTABLES -A INPUT -p ALL -i $ser_IFACE -d $ser_IP -j ACCEPT # # $IPTABLES -A INPUT -p ALL -i $HON_IFACE -d $HON_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $HON_IFACE -d $HON_DNS_IP -j ACCEPT #$IPTABLES -A INPUT -p ALL -i $HON_IFACE -d $HON_BROADCAST_ADDRESS -j ACCEPT # # Desde la interfaz del host local hacia la IP del host local. # $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $HON_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $ser_IP -j ACCEPT # # Regla especial para peticiones DHCP desde la red local, que de otra forma # no serían gestionadas correctamente. # #$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT # # Todos los paquetes que han establecido una conexión y todos los que # dependen de éllos, provenientes de Internet hacia el cortafuegos. # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT # ##############################3 $IPTABLES -A INPUT -p TCP -i $INET_IFACE -d $HON_DNS_IP \ --dport 53 -j allowed $IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $HON_DNS_IP \ --dport 53 -j ACCEPT ############################################ # Registra paquetes extraños que no concuerdan con lo anterior. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.5 Cadena FORWARD. # # # Paquetes TCP incorrectos que no queremos. # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Sección DMZ. # # Reglas generales. # $IPTABLES -A FORWARD -i $ser_IFACE -o $INET_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $INET_IFACE -o $ser_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A FORWARD -i $HON_IFACE -o $ser_IFACE -j ACCEPT #$IPTABLES -A FORWARD -i $ser_IFACE -o $HON_IFACE -m state \ #--state ESTABLISHED,RELATED -j ACCEPT # # Servidor HTTP. # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $ser_IFACE -d $ser_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p TCP -i $ser_IFACE -o $INET_IFACE -d $INET_IFACE \ --sport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $ser_IFACE -d $ser_HTTP_IP \ -j icmp_packets # # Servidor DNS. # ################# $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $ser_IFACE -d $ser_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $ser_IFACE -d $ser_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p UDP -i $ser_IFACE -o $INET_IFACE -d $INET_IFACE \ --sport 53 -j ACCEPT #SERVIDOR CORREO $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $ser_IFACE -d $ser_MAIL_IP \ --dport 25 -j allowed $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $ser_IFACE -d $ser_MAIL_IP \ --dport 143 -j allowed $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $ser_IFACE -d $ser_MAIL_IP \ --dport 110 -j allowed # # Sección HON (red local). # # Reglas generales. # $IPTABLES -A FORWARD -i $HON_IFACE -o $INET_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $INET_IFACE -o $HON_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT #$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \ #--state ESTABLISHED,RELATED -j ACCEPT # # Servidor HTTP. # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $HON_IFACE -d $HON_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $HON_IFACE -d $HON_HTTP_IP \ -j icmp_packets # # Servidor DNS. # #SERVIDOR CORREO $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $HON_IFACE -d $HON_MAIL_IP \ --dport 25 -j allowed $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $HON_IFACE -d $HON_MAIL_IP \ --dport 143 -j allowed $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $HON_IFACE -d $HON_MAIL_IP \ --dport 110 -j allowed # # 4.1.6 Cadena OUTPUT. # # # Paquetes TCP incorrectos que no queremos. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Reglas especiales de la cadena OUTPUT para decidir qué direcciones IP # están permitidas. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $HON_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $ser_IP -j ACCEPT # # Registra paquetes extraños que no concuerdan con lo anterior. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### But when I use a windows host (IP 192.168.240.23 simulate internet) and I request the local page on the servers, and I can't obtain any reply from servers, in the system logs I read : ########################## Dec 18 19:12:53 project kernel: IPT INPUT packet died: IN=eth0 OUT= MAC= SRC=192.168.240.22 DST=192.168.240.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Dec 18 17:58:04 project kernel: IPT INPUT packet died: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:91:22:1d:1a:08:00 SRC=192.168.240.23 DST=192.168.240.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=615 PROTO=UDP SPT=137 DPT=137 LEN=58 ######################## and I can't set iptables and filter the packets, please help me, and I configured SNORt to capture data, but while iptables doesn't function, I can't prove it. Neither The mail Server or web bserver reply when It is established, I want to simulate attacks from a IP 192.168.240.0/24 I want to use Nessus, do you think it is a good option to simulate attacks on web mail servers? or there is another alternative? such as scripts, programs Greetings Diego Ramos V. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
