Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bridging firewalls, honeynet.org rc.firewall, and UML honeypots

From: Jeff Bryner <jbryner1 () yahoo com>
Date: Fri, 12 Nov 2004 12:50:43 -0800 (PST)
Mike, this doesn't directly address your problem. But maybe it will
give a hint as to what else to try? 

I just completed a honeypot foray using gentoo as you describe. 
I used the following firewall configuration guidelines
http://www.honeynet.org/tools/dcontrol/rc.firewall
http://www.sns.ias.edu/~jns/security/iptables/rules.html
http://www.gentoo.org/doc/en/home-router-howto.xml

In my case, gentoo got a dhcp ip and routed everything to the honeypot.
There was not limiting per protocol, just an overall limit. Here was my
firewall script: 

IPTables script:
Purpose: To allow inbound connections to the honeypot, while limiting
outbound connections.
Source: Based on the honeynet.org script with additions from various
iptables script repositories, man pages and experimentations.

#!/bin/bash
#my firewall script

PATH="/sbin:/usr/sbin:/usr/local/sbin:/bin"
set -x

#set default kernel parameters
#Tell the kernel that ip forwarding is OK
 echo 1 > /proc/sys/net/ipv4/ip_forward
#reverse path filter
 for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
#no smurf amplifier
 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#default policies
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# The MODE variable tells the script to #setup a bridge HoneyWall
# or a NATing HoneyWall.
MODE="nat"                              #MODE="bridge" or "nat"
#PUBLIC_IP="xxx.xxx.xxx.xxx"            # the list of IPs the hackers will
attack.
INET_IFACE="eth0"                       # Firewall Public interface
LAN_IFACE="eth1"                       # Firewall interface on internal
network
LAN_BCAST_ADDRESS="192.168.1.255"      # IP Broadcast range for
internal network
#QUEUE="yes"            # Use experimental QUEUE support
QUEUE="no"              # Do not use experimental QUEUE support
### Set the connection outbound limits for different protocols.
SCALE="day"             # second, minute, hour, etc.
OTHERRATE="100"          # Number of other IP connections per $SCALE
STOP_OUT="no"           # Set to yes if you don't want to allow any 
                        # outbound connections.  This setting will
                        # override all RATE options if set to 'yes'.
ALIAS_MASK="255.255.255.0"         # Network mask to be used alias
HPOT_IP="192.168.1.200"            # Space delimited list of Honeypot ips
                                   # NOTE: MUST HAVE SAME NUMBER OF IPS
AS 
                                   # PUBLIC_IP VARIABLE.
#interfaces up
ifconfig $INET_IFACE up
ifconfig $LAN_IFACE up

#########
# First, confirm that IPChains is NOT running.  If
# it is running, clear the IPChains rules, remove the kernel 
# module, and warn the end user.

lsmod | grep ipchain
IPCHAINS=$?

if [ "$IPCHAINS" = 0 ]; then
  echo ""
  echo "Dooh, IPChains is currently running! IPTables is required by"
  echo "the rc.firewall script. IPChains will be unloaded to allow"
  echo "IPTables to run.  It is recommened that you permanently"
  echo "disable IPChains in the /etc/rc.d startup scripts and enable"
  echo "IPTables instead."
  ipchains -F
  rmmod ipchains
fi

#########
# Flush rules
#
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

#policy is to drop, so accept input from honeynet anything but pings...
iptables -I INPUT 1 -i $LAN_IFACE -p ! icmp -j ACCEPT

### Lets make sure our firewall can talk to itself
iptables -A INPUT -i lo -j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


#allow mail out from firewall so it can alert me..
iptables -A OUTPUT -p TCP -o $INET_IFACE --dport smtp -j ACCEPT

##limiting stuff
### Add iptables target LOG.
modprobe ipt_LOG

### Support for connection tracking of FTP and IRC.
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe iptable_nat



#syn flood protection
#4 packets per second max
iptables -N syn-flood
iptables -A INPUT -i $INET_IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "DROP SYN FLOOD: "
iptables -A syn-flood -j DROP

## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $INET_IFACE -p tcp ! --syn -m state --state NEW -j
DROP 

#add limiter chains
iptables -N otherHandler


#limit the honeypot outbound connections
LIMIT_IP=$HPOT_IP

if [ -z $STOP_OUT ] || [ "$STOP_OUT" != "yes" ]
then
   for host in ${LIMIT_IP}; do

#
#  limit all protocols
#
      iptables -A FORWARD -i $LAN_IFACE -m state --state NEW -m limit
--limit ${OTHERRATE}/${SCALE} --limit-burst ${OTHERRATE} -s ${host} -j
otherHandler
      iptables -A FORWARD -i $LAN_IFACE -m state --state NEW -m limit
--limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG --log-prefix "Drop
other after ${OTHERRATE} attempts"
      iptables -A FORWARD -i $LAN_IFACE -m state --state NEW -s ${host}
-j DROP 
   done

# This portion of the script will ensure that established or related 
#    connections that were allowed, continue to work.  If these lines 
#    are not here, only the first packet of each connection that hasn't

#    reached the limit will be allowed in because we are dropping
#    all outbound connections by default.
   if test $QUEUE = "yes"
      then
      iptables -A FORWARD -i $LAN_IFACE -m state --state
RELATED,ESTABLISHED -j QUEUE 
   fi
   iptables -A FORWARD -i $LAN_IFACE -m state --state
RELATED,ESTABLISHED -j ACCEPT 



#
# otherHandler - see tcpHandler comments above.
#
   iptables -A otherHandler -j LOG --log-prefix "OUTBOUND CONN OTHER: "
   if test $QUEUE = "yes"
      then
      iptables -A otherHandler -j QUEUE 
   fi
   iptables -A otherHandler -j ACCEPT 
fi # STOP_OUT




#Finally we add the rules for NAT per gentoo
# iptables -I FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j DROP
 iptables -A FORWARD -i $LAN_IFACE -s 192.168.1.0/255.255.255.0 -j
ACCEPT
 iptables -A FORWARD -i $INET_IFACE -d 192.168.1.0/255.255.255.0 -j
ACCEPT
 iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE


#send the nasty internet to our poor honeypot
iptables -t nat -I PREROUTING -p tcp  -i $INET_IFACE -j DNAT --to
192.168.1.200
iptables -t nat -I PREROUTING -p udp  -i $INET_IFACE -j DNAT --to
192.168.1.200
iptables -t nat -I PREROUTING -p icmp -i $INET_IFACE -j DNAT --to
192.168.1.200

Hope that helps,



=====
Jeff
=====
"Even though they let him live in their basement and wear black tee shirts, Jeff Minor is still angry with his parents."
--mens room graffiti at conans pub 39th and hawthorne, portland, oregon
Previous By Date Next
Previous By Thread Next

Current thread: