IDS-style use of psd

Rob Collins
Wed, 3 Oct 2001 15:13:23 -0700 (PDT)

Hi all,
I'm not a member of this list (probably shouldn't be,
I'm a lowly sysadmin/perl programmer), so please
respond to me directly.

I had the idea; wouldn't it be nice to be able to use
a rule like;
modprobe ip_queue
... -m psd -j QUEUE
and have a userspace application that wrote an
iptables rule to block that host.  I know snort +
swatch + script_on_the_firewall is a simple way to
accomplish the same thing, but I want to do this with
iptables itself.  

So, I know nothing about the internals of iptables, I
need help fleshing this idea out.  I need to know how
to register for packets with ip_queue.  

Assuming I get a binary dump of the packet, I can
figure out how to extract the source ip of that
packet.  And based on the destination ip, I can
determine the chain (not that that's necessary  --
probably want to block on both FORWARD and INPUT). 
From there it's just a `iptables -A <chain> -s <ip> -j
DROP` away from doing what I want.

"Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones

Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.