iptables promisc mode
dufresne at sysinfo.com
Wed Nov 15 21:13:28 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 15 Nov 2006, Magnus Månsson wrote:
> Hi, it seems like a couple of people have asked for this before but I havent
> seen any answers.
> I want iptables to get packages that do not belong to the machine, packages
> that are directed to others but came to me due to promisc mode. I have found
> a patch from November 2001 that seems to do what I want but after manually
> trying to patch it in my userspace utils segfaults. I am not a programmer so
> no surprise I didnt manage. The old patch is here:
> So, why do I want this? (maybe you can tell me that I should do it in another
> I am having a routing switch that is mirroring the internet traffic into 2
> interfaces in a linux machine, this machine is for example running ntop to
> look at what people are doing (that they shouldnt do). One of the things I/we
> are interested to find out is if people uses peer to peer protocols like
> Direct Connect / Bittorrent. My idea was to solve this with iptables layer7
> filter (l7-filter.sourceforge.net), ulogd and mysql. But since I cant build
> ULOG rules that catch the packages I am stuck.
> The reason to choose iptables is that I can store all the information about
> the protocols I am interested in. Ntop doesnt have the history that I want.
> I am very thankful for whatever help/directions I can get.
As long as the firewall machine that runs iptables is the gateway from the
lan to the internet and vice versa, this is already happening, iptables
sees all the traffic in both directions, and can act on it was well, layer
4 and above. Nothing to add, no patch required. But, to have details in
the logs of what is passing requires that you build and configure your
rules properly, with log statements in your case being well defined and
covering a number of common protocol ports. One issue you will face is
that most of the traffic you are trying to monitor, is not well defined
nor restricted to any common ports, which is whyyou have faced issues in
preventing the traffic and even with a layer 7 module.
Plan on having at least one person devoted to nothing but monitoring
traffic and logs for sometime to get a handle on what your users are
Of course common theory is that this kind of abuse is best handled at the
HR level, a frewall is not the best place to hadle this kind of policy
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter