Honeypots mailing list archives
Re: Bridging firewalls, honeynet.org rc.firewall, and UML honeypots
From: Jeff Bryner <jbryner1 () yahoo com>
Date: Fri, 12 Nov 2004 12:50:43 -0800 (PST)
Mike, this doesn't directly address your problem. But maybe it will give a hint as to what else to try? I just completed a honeypot foray using gentoo as you describe. I used the following firewall configuration guidelines http://www.honeynet.org/tools/dcontrol/rc.firewall http://www.sns.ias.edu/~jns/security/iptables/rules.html http://www.gentoo.org/doc/en/home-router-howto.xml In my case, gentoo got a dhcp ip and routed everything to the honeypot. There was not limiting per protocol, just an overall limit. Here was my firewall script: IPTables script: Purpose: To allow inbound connections to the honeypot, while limiting outbound connections. Source: Based on the honeynet.org script with additions from various iptables script repositories, man pages and experimentations. #!/bin/bash #my firewall script PATH="/sbin:/usr/sbin:/usr/local/sbin:/bin" set -x #set default kernel parameters #Tell the kernel that ip forwarding is OK echo 1 > /proc/sys/net/ipv4/ip_forward #reverse path filter for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done #no smurf amplifier echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #default policies iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # The MODE variable tells the script to #setup a bridge HoneyWall # or a NATing HoneyWall. MODE="nat" #MODE="bridge" or "nat" #PUBLIC_IP="xxx.xxx.xxx.xxx" # the list of IPs the hackers will attack. INET_IFACE="eth0" # Firewall Public interface LAN_IFACE="eth1" # Firewall interface on internal network LAN_BCAST_ADDRESS="192.168.1.255" # IP Broadcast range for internal network #QUEUE="yes" # Use experimental QUEUE support QUEUE="no" # Do not use experimental QUEUE support ### Set the connection outbound limits for different protocols. SCALE="day" # second, minute, hour, etc. OTHERRATE="100" # Number of other IP connections per $SCALE STOP_OUT="no" # Set to yes if you don't want to allow any # outbound connections. This setting will # override all RATE options if set to 'yes'. ALIAS_MASK="255.255.255.0" # Network mask to be used alias HPOT_IP="192.168.1.200" # Space delimited list of Honeypot ips # NOTE: MUST HAVE SAME NUMBER OF IPS AS # PUBLIC_IP VARIABLE. #interfaces up ifconfig $INET_IFACE up ifconfig $LAN_IFACE up ######### # First, confirm that IPChains is NOT running. If # it is running, clear the IPChains rules, remove the kernel # module, and warn the end user. lsmod | grep ipchain IPCHAINS=$? if [ "$IPCHAINS" = 0 ]; then echo "" echo "Dooh, IPChains is currently running! IPTables is required by" echo "the rc.firewall script. IPChains will be unloaded to allow" echo "IPTables to run. It is recommened that you permanently" echo "disable IPChains in the /etc/rc.d startup scripts and enable" echo "IPTables instead." ipchains -F rmmod ipchains fi ######### # Flush rules # iptables -F iptables -F -t nat iptables -F -t mangle iptables -X #policy is to drop, so accept input from honeynet anything but pings... iptables -I INPUT 1 -i $LAN_IFACE -p ! icmp -j ACCEPT ### Lets make sure our firewall can talk to itself iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #allow mail out from firewall so it can alert me.. iptables -A OUTPUT -p TCP -o $INET_IFACE --dport smtp -j ACCEPT ##limiting stuff ### Add iptables target LOG. modprobe ipt_LOG ### Support for connection tracking of FTP and IRC. modprobe ip_conntrack_ftp modprobe ip_conntrack_irc modprobe iptable_nat #syn flood protection #4 packets per second max iptables -N syn-flood iptables -A INPUT -i $INET_IFACE -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j LOG --log-prefix "DROP SYN FLOOD: " iptables -A syn-flood -j DROP ## Make sure NEW tcp connections are SYN packets iptables -A INPUT -i $INET_IFACE -p tcp ! --syn -m state --state NEW -j DROP #add limiter chains iptables -N otherHandler #limit the honeypot outbound connections LIMIT_IP=$HPOT_IP if [ -z $STOP_OUT ] || [ "$STOP_OUT" != "yes" ] then for host in ${LIMIT_IP}; do # # limit all protocols # iptables -A FORWARD -i $LAN_IFACE -m state --state NEW -m limit --limit ${OTHERRATE}/${SCALE} --limit-burst ${OTHERRATE} -s ${host} -j otherHandler iptables -A FORWARD -i $LAN_IFACE -m state --state NEW -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG --log-prefix "Drop other after ${OTHERRATE} attempts" iptables -A FORWARD -i $LAN_IFACE -m state --state NEW -s ${host} -j DROP done # This portion of the script will ensure that established or related # connections that were allowed, continue to work. If these lines # are not here, only the first packet of each connection that hasn't # reached the limit will be allowed in because we are dropping # all outbound connections by default. if test $QUEUE = "yes" then iptables -A FORWARD -i $LAN_IFACE -m state --state RELATED,ESTABLISHED -j QUEUE fi iptables -A FORWARD -i $LAN_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT # # otherHandler - see tcpHandler comments above. # iptables -A otherHandler -j LOG --log-prefix "OUTBOUND CONN OTHER: " if test $QUEUE = "yes" then iptables -A otherHandler -j QUEUE fi iptables -A otherHandler -j ACCEPT fi # STOP_OUT #Finally we add the rules for NAT per gentoo # iptables -I FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j DROP iptables -A FORWARD -i $LAN_IFACE -s 192.168.1.0/255.255.255.0 -j ACCEPT iptables -A FORWARD -i $INET_IFACE -d 192.168.1.0/255.255.255.0 -j ACCEPT iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE #send the nasty internet to our poor honeypot iptables -t nat -I PREROUTING -p tcp -i $INET_IFACE -j DNAT --to 192.168.1.200 iptables -t nat -I PREROUTING -p udp -i $INET_IFACE -j DNAT --to 192.168.1.200 iptables -t nat -I PREROUTING -p icmp -i $INET_IFACE -j DNAT --to 192.168.1.200 Hope that helps, ===== Jeff ===== "Even though they let him live in their basement and wear black tee shirts, Jeff Minor is still angry with his parents." --mens room graffiti at conans pub 39th and hawthorne, portland, oregon
Current thread:
- Bridging firewalls, honeynet.org rc.firewall, and UML honeypots Mike Tremoulet (Nov 10)
- Re: Bridging firewalls, honeynet.org rc.firewall, and UML honeypots Jeff Bryner (Nov 13)
- <Possible follow-ups>
- Re: Bridging firewalls, honeynet.org rc.firewall, and UML honeypots no-ctrl (Nov 17)
- Re: Bridging firewalls, honeynet.org rc.firewall, and UML honeypots Mike Tremoulet (Nov 17)