iptables and wireless card in promiscuous mode

iptables and wireless card in promiscuous mode

[Claudio Lavecchia]

Hello People,

I have a little question:

I have two laptops that have 802.11 wireless cards. I am developing some 
application that essentially perform sniffing functions using wireless 
cards in promiscuous mode. To test my code, I need those two laptops not 
to "see" each other (--> I do not want the wireless card of laptop A, 
which is operating in promiscuous mode to process packets coming from 
laptop B) and I tought to do it using iptables. so on laptop A i added 
the following rule:

iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_B -j DROP

and on laptop B I added the rule:

iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_A -j DROP

I just executed my first tests and the feeling  I got is that, for 
example, the wlan card of  laptop B still passes through the packet 
coming from laptop A.

Can anyone confirm  this analysis? If I am right, can anyone give me a 
hint to possibly workaround this?

Thank you very much

Claudio

Re: iptables and wireless card in promiscuous mode

[Cedric Blancher]

> I have two laptops that have 802.11 wireless cards. I am developing some 
> application that essentially perform sniffing functions using wireless 
> cards in promiscuous mode. To test my code, I need those two laptops not 
> to "see" each other (--> I do not want the wireless card of laptop A, 
> which is operating in promiscuous mode to process packets coming from 
> laptop B) and I tought to do it using iptables.

Promisc packet capture occurs before Netfilter filtering. So you can't
prevent network adapter in promiscuous mode to sniff given packets using
iptables. You must configure BPF to exclude the frames you don't want to
see.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

RE: iptables and wireless card in promiscuous mode

[Gary W. Smith]

Try pre and post routing...  It might be a start


> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Claudio Lavecchia
> Sent: Tuesday, November 30, 2004 4:54 AM
> To: netfilter@lists.netfilter.org
> Subject: iptables and wireless card in promiscuous mode
> 
> Hello People,
> 
> I have a little question:
> 
> I have two laptops that have 802.11 wireless cards. I am developing
some
> application that essentially perform sniffing functions using wireless
> cards in promiscuous mode. To test my code, I need those two laptops
not
> to "see" each other (--> I do not want the wireless card of laptop A,
> which is operating in promiscuous mode to process packets coming from
> laptop B) and I tought to do it using iptables. so on laptop A i added
> the following rule:
> 
> iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_B -j DROP
> 
> and on laptop B I added the rule:
> 
> iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_A -j DROP
> 
> I just executed my first tests and the feeling  I got is that, for
> example, the wlan card of  laptop B still passes through the packet
> coming from laptop A.
> 
> Can anyone confirm  this analysis? If I am right, can anyone give me a
> hint to possibly workaround this?
> 
> Thank you very much
> 
> Claudio

Re: iptables and wireless card in promiscuous mode

[Alistair Tonner]

 see inlined:
 
On November 30, 2004 07:53 am, Claudio Lavecchia wrote:
> Hello People,
>
> I have a little question:
>
> I have two laptops that have 802.11 wireless cards. I am developing some
> application that essentially perform sniffing functions using wireless
> cards in promiscuous mode. To test my code, I need those two laptops not
> to "see" each other (--> I do not want the wireless card of laptop A,
> which is operating in promiscuous mode to process packets coming from
> laptop B) and I tought to do it using iptables. so on laptop A i added
> the following rule:
>
> iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_B -j DROP
>
> and on laptop B I added the rule:
>
> iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_A -j DROP
>
> I just executed my first tests and the feeling  I got is that, for
> example, the wlan card of  laptop B still passes through the packet
> coming from laptop A.
>
> Can anyone confirm  this analysis? If I am right, can anyone give me a
> hint to possibly workaround this?

 Urrm.  
 You are likely doing the filtering in the wrong pipe.  These rules will only 
drop packets that are destined for the IP of the host they are on.  You 
PROBABLY are trying to drop *all* traffic from the other laptop.  Iptables 
can do this at the IP layer, however you will STILL be able to see the 
traffic across that card (from the other laptop) with any decent sniffer 
program since ip sniffers work below the IP layer, before iptables gets the 
packet to filter.  Most decent network sniffers, however, can do mac address 
filtering on input.

 If you would like to have the traffic dropped anyway, there are better places 
to put these rules, even though many are strongly against filtering anywhere 
but in the filter table (including myself) the following would get the 
traffic off your iptables radar:

iptables -A PREROUTING -t mangle -m mac --mac-source MAC_ADDRESS_LAPTOP_A -j \  
DROP

 Although in truth I'm not sure that this is wise, it might serve your 
purposes.

 Alistair Tonner
 RSO HP Unix support 

Re: iptables and wireless card in promiscuous mode

[Claudio Lavecchia]

Well,

In fact  I really wanted my WLAN card set in promiscuous mode to drop 
all the packets coming from the other laptop, this means that I wanted a 
filter BEFORE the promiscuos mode filter.
And by the way: how do I cancel a rule from the PREROUTING chain?
If I do the standard way, I get:

~ # iptables -D PREROUTING 1
iptables: No chain/target/match by that name

Thx

Claudio


Alistair Tonner wrote:

> see inlined:
> 
>On November 30, 2004 07:53 am, Claudio Lavecchia wrote:
>  
>
>>Hello People,
>>
>>I have a little question:
>>
>>I have two laptops that have 802.11 wireless cards. I am developing some
>>application that essentially perform sniffing functions using wireless
>>cards in promiscuous mode. To test my code, I need those two laptops not
>>to "see" each other (--> I do not want the wireless card of laptop A,
>>which is operating in promiscuous mode to process packets coming from
>>laptop B) and I tought to do it using iptables. so on laptop A i added
>>the following rule:
>>
>>iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_B -j DROP
>>
>>and on laptop B I added the rule:
>>
>>iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_A -j DROP
>>
>>I just executed my first tests and the feeling  I got is that, for
>>example, the wlan card of  laptop B still passes through the packet
>>coming from laptop A.
>>
>>Can anyone confirm  this analysis? If I am right, can anyone give me a
>>hint to possibly workaround this?
>>    
>>
>
> Urrm.  
> You are likely doing the filtering in the wrong pipe.  These rules will only 
>drop packets that are destined for the IP of the host they are on.  You 
>PROBABLY are trying to drop *all* traffic from the other laptop.  Iptables 
>can do this at the IP layer, however you will STILL be able to see the 
>traffic across that card (from the other laptop) with any decent sniffer 
>program since ip sniffers work below the IP layer, before iptables gets the 
>packet to filter.  Most decent network sniffers, however, can do mac address 
>filtering on input.
>
> If you would like to have the traffic dropped anyway, there are better places 
>to put these rules, even though many are strongly against filtering anywhere 
>but in the filter table (including myself) the following would get the 
>traffic off your iptables radar:
>
>iptables -A PREROUTING -t mangle -m mac --mac-source MAC_ADDRESS_LAPTOP_A -j \  
>DROP
>
> Although in truth I'm not sure that this is wise, it might serve your 
>purposes.
>
> Alistair Tonner
> RSO HP Unix support 
>
>
>  
>

Re: iptables and wireless card in promiscuous mode

[Jason Opperisano]

On Wed, 2004-12-01 at 07:12, Claudio Lavecchia wrote:
> Well,
> 
> In fact  I really wanted my WLAN card set in promiscuous mode to drop 
> all the packets coming from the other laptop, this means that I wanted a 
> filter BEFORE the promiscuos mode filter.

if that makes sense to you, or anyone else on this list--more power to
you.

> And by the way: how do I cancel a rule from the PREROUTING chain?
> If I do the standard way, I get:
> 
> ~ # iptables -D PREROUTING 1
> iptables: No chain/target/match by that name

first--you need to specify a chain (here you also need to specify a
table, as filter has no PREROUTING chain).  second--you need to specify
the whole rule.

a rule added with the command:

  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 80 \
    -j DNAT --to-destination $WEB_SRV

must be deleted with the command:

  iptables -t nat -D PREROUTING -i $EXT_IF -p tcp --dport 80 \
    -j DNAT --to-destination $WEB_SRV

the other option would be to flush that chain and just add back the
rules you want to keep (if any), as is often done in scripts:

  iptables -t nat -F PREROUTING

  iptables -t nat -A PREROUTING ...

and lastly--you could:

  iptables-save > ipt.out
  vi ipt.out [delete rule(s) you don't want any more]
  iptables-restore ipt.out

-j

--
"I'm having the best day of my life, and I owe it all to not going
 to Church!"
	--The Simpsons

RE: iptables and wireless card in promiscuous mode

[Scott Knake]

iptables -t MANGLE -D PREROUTING 1.
It was also mentioned earlier to configure BPF to drop the undesired
packets.. what is wrong with this solution?

>Well,
>
>In fact  I really wanted my WLAN card set in promiscuous mode to drop 
>all the packets coming from the other laptop, this means that I wanted
a 
>filter BEFORE the promiscuos mode filter.
>And by the way: how do I cancel a rule from the PREROUTING chain?
>If I do the standard way, I get:
>
>~ # iptables -D PREROUTING 1
>iptables: No chain/target/match by that name
>
>Thx
>
>Claudio
>
>
>Alistair Tonner wrote:
>
>> see inlined:
>>
>>On November 30, 2004 07:53 am, Claudio Lavecchia wrote:
>>
>>
>>>Hello People,
>>>
>>>I have a little question:
>>>
>>>I have two laptops that have 802.11 wireless cards. I am developing
some
>>>application that essentially perform sniffing functions using
wireless
>>>cards in promiscuous mode. To test my code, I need those two laptops
not
>>>to "see" each other (--> I do not want the wireless card of laptop A,
>>>which is operating in promiscuous mode to process packets coming from
>>>laptop B) and I tought to do it using iptables. so on laptop A i
added
>>>the following rule:
>>>
>>>iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_B -j DROP
>>>
>>>and on laptop B I added the rule:
>>>
>>>iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_A -j DROP
>>>
>>>I just executed my first tests and the feeling  I got is that, for
>>>example, the wlan card of  laptop B still passes through the packet
>>>coming from laptop A.
>>>
>>>Can anyone confirm  this analysis? If I am right, can anyone give me
a
>>>hint to possibly workaround this?
>>>
>>>
>>
>> Urrm.
>> You are likely doing the filtering in the wrong pipe.  These rules
will only
>>drop packets that are destined for the IP of the host they are on.
You
>>PROBABLY are trying to drop *all* traffic from the other laptop.
Iptables
>>can do this at the IP layer, however you will STILL be able to see the
>>traffic across that card (from the other laptop) with any decent
sniffer
>>program since ip sniffers work below the IP layer, before iptables
gets the
>>packet to filter.  Most decent network sniffers, however, can do mac
address
>>filtering on input.
>
>> If you would like to have the traffic dropped anyway, there are
better places
>>to put these rules, even though many are strongly against filtering
anywhere
>>but in the filter table (including myself) the following would get the
>>traffic off your iptables radar:
>>
>>iptables -A PREROUTING -t mangle -m mac --mac-source
MAC_ADDRESS_LAPTOP_A -j \
>>DROP
>>
>> Although in truth I'm not sure that this is wise, it might serve your
>>purposes.
>>
>> Alistair Tonner
>> RSO HP Unix support
>>
>>
>>
>>

Re: iptables and wireless card in promiscuous mode

[Claudio Lavecchia]

Well,

I guess that there is nothing wrong with that. I checked quickly the BPF 
documentation and it seems to do the job. I am just more comfortable 
with iptables at the moment. If I cannot obtain what I need with 
iptables I will study BPF better...

Thx

CLaudio

Scott Knake wrote:

>iptables -t MANGLE -D PREROUTING 1.
>It was also mentioned earlier to configure BPF to drop the undesired
>packets.. what is wrong with this solution?
>
>  
>
>>Well,
>>
>>In fact  I really wanted my WLAN card set in promiscuous mode to drop 
>>all the packets coming from the other laptop, this means that I wanted
>>    
>>
>a 
>  
>
>>filter BEFORE the promiscuos mode filter.
>>And by the way: how do I cancel a rule from the PREROUTING chain?
>>If I do the standard way, I get:
>>
>>~ # iptables -D PREROUTING 1
>>iptables: No chain/target/match by that name
>>
>>Thx
>>
>>Claudio
>>
>>
>>Alistair Tonner wrote:
>>
>>    
>>
>>>see inlined:
>>>
>>>On November 30, 2004 07:53 am, Claudio Lavecchia wrote:
>>>
>>>
>>>      
>>>
>>>>Hello People,
>>>>
>>>>I have a little question:
>>>>
>>>>I have two laptops that have 802.11 wireless cards. I am developing
>>>>        
>>>>
>some
>  
>
>>>>application that essentially perform sniffing functions using
>>>>        
>>>>
>wireless
>  
>
>>>>cards in promiscuous mode. To test my code, I need those two laptops
>>>>        
>>>>
>not
>  
>
>>>>to "see" each other (--> I do not want the wireless card of laptop A,
>>>>which is operating in promiscuous mode to process packets coming from
>>>>laptop B) and I tought to do it using iptables. so on laptop A i
>>>>        
>>>>
>added
>  
>
>>>>the following rule:
>>>>
>>>>iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_B -j DROP
>>>>
>>>>and on laptop B I added the rule:
>>>>
>>>>iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_A -j DROP
>>>>
>>>>I just executed my first tests and the feeling  I got is that, for
>>>>example, the wlan card of  laptop B still passes through the packet
>>>>coming from laptop A.
>>>>
>>>>Can anyone confirm  this analysis? If I am right, can anyone give me
>>>>        
>>>>
>a
>  
>
>>>>hint to possibly workaround this?
>>>>
>>>>
>>>>        
>>>>
>>>Urrm.
>>>You are likely doing the filtering in the wrong pipe.  These rules
>>>      
>>>
>will only
>  
>
>>>drop packets that are destined for the IP of the host they are on.
>>>      
>>>
>You
>  
>
>>>PROBABLY are trying to drop *all* traffic from the other laptop.
>>>      
>>>
>Iptables
>  
>
>>>can do this at the IP layer, however you will STILL be able to see the
>>>traffic across that card (from the other laptop) with any decent
>>>      
>>>
>sniffer
>  
>
>>>program since ip sniffers work below the IP layer, before iptables
>>>      
>>>
>gets the
>  
>
>>>packet to filter.  Most decent network sniffers, however, can do mac
>>>      
>>>
>address
>  
>
>>>filtering on input.
>>>      
>>>
>>>If you would like to have the traffic dropped anyway, there are
>>>      
>>>
>better places
>  
>
>>>to put these rules, even though many are strongly against filtering
>>>      
>>>
>anywhere
>  
>
>>>but in the filter table (including myself) the following would get the
>>>traffic off your iptables radar:
>>>
>>>iptables -A PREROUTING -t mangle -m mac --mac-source
>>>      
>>>
>MAC_ADDRESS_LAPTOP_A -j \
>  
>
>>>DROP
>>>
>>>Although in truth I'm not sure that this is wise, it might serve your
>>>purposes.
>>>
>>>Alistair Tonner
>>>RSO HP Unix support
>>>
>>>
>>>
>>>
>>>      
>>>
>
>  
>

Re: iptables and wireless card in promiscuous mode

[Claudio Lavecchia]

BTW you are right, filtering at a lower layer is the most 
straightforward approach.
Can anyone tell me how to set up a simple filter using BPF that blocks 
all the packets coming from a given MAC address?

Thx a lot

Claudio

Scott Knake wrote:

>iptables -t MANGLE -D PREROUTING 1.
>It was also mentioned earlier to configure BPF to drop the undesired
>packets.. what is wrong with this solution?
>
>  
>
>>Well,
>>
>>In fact  I really wanted my WLAN card set in promiscuous mode to drop 
>>all the packets coming from the other laptop, this means that I wanted
>>    
>>
>a 
>  
>
>>filter BEFORE the promiscuos mode filter.
>>And by the way: how do I cancel a rule from the PREROUTING chain?
>>If I do the standard way, I get:
>>
>>~ # iptables -D PREROUTING 1
>>iptables: No chain/target/match by that name
>>
>>Thx
>>
>>Claudio
>>
>>
>>Alistair Tonner wrote:
>>
>>    
>>
>>>see inlined:
>>>
>>>On November 30, 2004 07:53 am, Claudio Lavecchia wrote:
>>>
>>>
>>>      
>>>
>>>>Hello People,
>>>>
>>>>I have a little question:
>>>>
>>>>I have two laptops that have 802.11 wireless cards. I am developing
>>>>        
>>>>
>some
>  
>
>>>>application that essentially perform sniffing functions using
>>>>        
>>>>
>wireless
>  
>
>>>>cards in promiscuous mode. To test my code, I need those two laptops
>>>>        
>>>>
>not
>  
>
>>>>to "see" each other (--> I do not want the wireless card of laptop A,
>>>>which is operating in promiscuous mode to process packets coming from
>>>>laptop B) and I tought to do it using iptables. so on laptop A i
>>>>        
>>>>
>added
>  
>
>>>>the following rule:
>>>>
>>>>iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_B -j DROP
>>>>
>>>>and on laptop B I added the rule:
>>>>
>>>>iptables -A INPUT -mac --mac-source MAC_ADDRESS_LAPTOP_A -j DROP
>>>>
>>>>I just executed my first tests and the feeling  I got is that, for
>>>>example, the wlan card of  laptop B still passes through the packet
>>>>coming from laptop A.
>>>>
>>>>Can anyone confirm  this analysis? If I am right, can anyone give me
>>>>        
>>>>
>a
>  
>
>>>>hint to possibly workaround this?
>>>>
>>>>
>>>>        
>>>>
>>>Urrm.
>>>You are likely doing the filtering in the wrong pipe.  These rules
>>>      
>>>
>will only
>  
>
>>>drop packets that are destined for the IP of the host they are on.
>>>      
>>>
>You
>  
>
>>>PROBABLY are trying to drop *all* traffic from the other laptop.
>>>      
>>>
>Iptables
>  
>
>>>can do this at the IP layer, however you will STILL be able to see the
>>>traffic across that card (from the other laptop) with any decent
>>>      
>>>
>sniffer
>  
>
>>>program since ip sniffers work below the IP layer, before iptables
>>>      
>>>
>gets the
>  
>
>>>packet to filter.  Most decent network sniffers, however, can do mac
>>>      
>>>
>address
>  
>
>>>filtering on input.
>>>      
>>>
>>>If you would like to have the traffic dropped anyway, there are
>>>      
>>>
>better places
>  
>
>>>to put these rules, even though many are strongly against filtering
>>>      
>>>
>anywhere
>  
>
>>>but in the filter table (including myself) the following would get the
>>>traffic off your iptables radar:
>>>
>>>iptables -A PREROUTING -t mangle -m mac --mac-source
>>>      
>>>
>MAC_ADDRESS_LAPTOP_A -j \
>  
>
>>>DROP
>>>
>>>Although in truth I'm not sure that this is wise, it might serve your
>>>purposes.
>>>
>>>Alistair Tonner
>>>RSO HP Unix support
>>>
>>>
>>>
>>>
>>>      
>>>
>
>  
>

Re: iptables and wireless card in promiscuous mode

[Jason Opperisano]

On Wed, Dec 01, 2004 at 03:34:26PM +0100, Claudio Lavecchia wrote:
> BTW you are right, filtering at a lower layer is the most 
> straightforward approach.
> Can anyone tell me how to set up a simple filter using BPF that blocks 
> all the packets coming from a given MAC address?
> 
> Thx a lot

man pages?  *we* don't need no stinking man pages...

  not ether host XX:XX:XX:XX:XX:XX

-j

--
"Mmmm...free goo."
        --The Simpsons

Re: iptables and wireless card in promiscuous mode

[Sean Donner]

>> Can anyone tell me how to set up a simple filter using BPF that blocks
>> all the packets coming from a given MAC address?

Out of curiosity what is this BPF you speak of? I googled for it and I
came across "Berkeley Packet Filter" which sounds about on topic with this
mailing list but it seems to be a FreeBSD util.  I did an slocate for it
on my box and it found nothing but a header file.  Is this some
non-standard util has a linux port for link layer filtering?

RE: iptables and wireless card in promiscuous mode

[Scott Knake]

>> Can anyone tell me how to set up a simple filter using BPF that
blocks
>> all the packets coming from a given MAC address?

>Out of curiosity what is this BPF you speak of? I googled for it and I
>came across "Berkeley Packet Filter" which sounds about on topic with
this
>mailing list but it seems to be a FreeBSD util.  I did an slocate for
it
>on my box and it found nothing but a header file.  Is this some
>non-standard util has a linux port for link layer filtering?

/usr/src/linux/Documentation/Configure.help (2.4.28)

Packet socket
CONFIG_PACKET
  The Packet protocol is used by applications which communicate
  directly with network devices without an intermediate network
  protocol implemented in the kernel, e.g. tcpdump.  If you want them
  to work, choose Y.

  This driver is also available as a module called af_packet.o ( =
  code which can be inserted in and removed from the running kernel
  whenever you want).  If you want to compile it as a module, say M
  here and read <file:Documentation/modules.txt>; if you use modprobe
  or kmod, you may also want to add "alias net-pf-17 af_packet" to
  /etc/modules.conf.

  If unsure, say Y.


man tcpdump. More or less the linux equivelant.