[Oisf-users] nfq_set_mark question

Eric Leblond eric at regit.org
Fri Jul 27 14:06:54 UTC 2012


Le vendredi 27 juillet 2012 à 17:57 +0400, kay a écrit :
> Dear Eric,
> Finally I realized how to make dreams true with xtables-addons:

Nice to hear that !

> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m set
> --match-set honeypot src -j RAWDNAT  --to-destination ${HONEYPOT}
> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark !
> --mark 0x1/0x1 -j NFQUEUE --queue-num 0  --queue-bypass
> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark
> 0x2/0xfe -j SET --add-set honeypot src
> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark
> 0x2/0xfe -j RAWDNAT  --to-destination ${HONEYPOT}
> ipset create honeypot hash:ip timeout ${TIMEOUT}
> On the honeypot we should add:
> iptables -t rawpost -A POSTROUTING -p tcp -m tcp --sport 80 -j RAWSNAT
>  --to-source ${REALSERVER}
> When traffic was redirected the web server on honeypot it gets invalid
> packets without handshake and automatically tries to reestablish
> connection (I don't know if it's RFC stuff) so client's web browser
> doesn't show any error messages. This solution works like a charm!

That's just too kind of the server ! But this result is just great!
Thanks to let us know.


> Happy Sysadmin Day!
> 2012/7/11 Eric Leblond <eric at regit.org>:
> > No, it just can't work. One solution could be to have suricata drop the
> > malicious packet and trigger an alert. Then via a external tool you
> > parse the alert and add the IP to a list of address which is nat. You
> > can use ipset for instance.
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Eric Leblond 
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120727/cdf3aa1e/attachment.sig>

More information about the Oisf-users mailing list