[Oisf-users] nfq_set_mark question
kay
kay.diam at gmail.com
Fri Jul 27 09:57:13 EDT 2012
Dear Eric,
Finally I realized how to make dreams true with xtables-addons:
iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m set
--match-set honeypot src -j RAWDNAT --to-destination ${HONEYPOT}
iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark !
--mark 0x1/0x1 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark
0x2/0xfe -j SET --add-set honeypot src
iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark
0x2/0xfe -j RAWDNAT --to-destination ${HONEYPOT}
ipset create honeypot hash:ip timeout ${TIMEOUT}
On the honeypot we should add:
iptables -t rawpost -A POSTROUTING -p tcp -m tcp --sport 80 -j RAWSNAT
--to-source ${REALSERVER}
When traffic was redirected the web server on honeypot it gets invalid
packets without handshake and automatically tries to reestablish
connection (I don't know if it's RFC stuff) so client's web browser
doesn't show any error messages. This solution works like a charm!
Happy Sysadmin Day!
2012/7/11 Eric Leblond <eric at regit.org>:
> No, it just can't work. One solution could be to have suricata drop the
> malicious packet and trigger an alert. Then via a external tool you
> parse the alert and add the IP to a list of address which is nat. You
> can use ipset for instance.
More information about the Oisf-users
mailing list