iptables promisc mode

R. DuFresne dufresne at sysinfo.com
Wed Nov 15 21:13:28 CET 2006

Hash: SHA1

On Wed, 15 Nov 2006, Magnus Månsson wrote:

> Hi, it seems like a couple of people have asked for this before but I havent 
> seen any answers.
> I want iptables to get packages that do not belong to the machine, packages 
> that are directed to others but came to me due to promisc mode. I have found 
> a patch from November 2001 that seems to do what I want but after manually 
> trying to patch it in my userspace utils segfaults. I am not a programmer so 
> no surprise I didnt manage. The old patch is here: 
> http://idea.hosting.lv/a/iptables-promisc/
> So, why do I want this? (maybe you can tell me that I should do it in another 
> way)
> I am having a routing switch that is mirroring the internet traffic into 2 
> interfaces in a linux machine, this machine is for example running ntop to 
> look at what people are doing (that they shouldnt do). One of the things I/we 
> are interested to find out is if people uses peer to peer protocols like 
> Direct Connect / Bittorrent. My idea was to solve this with iptables layer7 
> filter (l7-filter.sourceforge.net), ulogd and mysql. But since I cant build 
> ULOG rules that catch the packages I am stuck.
> The reason to choose iptables is that I can store all the information about 
> the protocols I am interested in. Ntop doesnt have the history that I want.
> I am very thankful for whatever help/directions I can get.

As long as the firewall machine that runs iptables is the gateway from the 
lan to the internet and vice versa, this is already happening, iptables 
sees all the traffic in both directions, and can act on it was well, layer 
4 and above.  Nothing to add, no patch required.  But, to have details in 
the logs of what is passing requires that you build and configure your 
rules properly, with log statements in your case being well defined and 
covering a number of common protocol ports.  One issue you will face is 
that most of the traffic you are trying to monitor, is not well defined 
nor restricted to any common ports, which is whyyou have faced issues in 
preventing the traffic and even with a layer 7 module.

Plan on having at least one person devoted to nothing but monitoring 
traffic and logs for sometime to get a handle on what your users are 

Of course common theory is that this kind of abuse is best handled at the 
HR level, a frewall is not the best place to hadle this kind of policy 


Ron DuFresne
- -- 
         admin & senior security consultant:  sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.4.5 (GNU/Linux)


More information about the netfilter mailing list