Iptables rule on span traffic

Iptables rule on span traffic

[Krishnamoorthy (Siva) Sivakumar]

Hi

I am new to this forum and my knowledge about iptables is fairly limited. I did search but couldn't find an answer to my question; if this has been addressed elsewhere, please point me to the source. 

Anyway, here is my situation. 
I have fwsnort generate iptables rule (based on snort IDS rules) which are running on a machine with two interfaces. One of the interfaces (eth1)  is connected to a SPAN port that mirrors traffic on part of our network, this interface is in promiscuous mode. The other interface (eth0) is a regular addressable interface. For some reason, the iptables rules seem to have no effect on traffic seen by the SPAN port. It seems to work fine on traffic seen on eth0. I have tried using the -i option to specify the interface but that doesn't seem to help. I am trying simple rules like "look for string 'ssh' and LOG traffic as well as reject with tcp reset" to troubleshoot.  

Anyone have any idea what I need to do to have iptables rule to act on SPAN traffic. Tcpdump on eth1 does show traffic that the loaded iptables rules should catch. Am I missing something in the way I have set things up?

Thanks,
Siva

Re: Iptables rule on span traffic

[Oleg]

> Anyway, here is my situation.
> I have fwsnort generate iptables rule (based on snort IDS rules) which are
> running on a machine with two interfaces. One of the interfaces (eth1) ?is
> connected to a SPAN port that mirrors traffic on part of our network, this
> interface is in promiscuous mode. The other interface (eth0) is a regular
> addressable interface. For some reason, the iptables rules seem to have no
> effect on traffic seen by the SPAN port.
AFAIK pcap library gets traffic before iptables rule processing (because it's 
promiscous mode), so snort and tcpdump (and any other tool which uses pcap) 
continues to see 'blocked by iptables' traffic.

-- 
Best regards, Oleg

Re: Iptables rule on span traffic

[Jorge Davila]

What are your iptables rules?

On Fri, 20 Apr 2007 12:13:30 -0700
  "Krishnamoorthy (Siva) Sivakumar" <ksivakumar@packetmotion.com> wrote:
> Hi
> 
> I am new to this forum and my knowledge about iptables is fairly limited. 
>I did search but couldn't find an answer to my question; if this has been 
>addressed elsewhere, please point me to the source. 
> 
> Anyway, here is my situation. 
> I have fwsnort generate iptables rule (based on snort IDS rules) which are 
>running on a machine with two interfaces. One of the interfaces (eth1)  is 
>connected to a SPAN port that mirrors traffic on part of our network, this 
>interface is in promiscuous mode. The other interface (eth0) is a regular 
>addressable interface. For some reason, the iptables rules seem to have no 
>effect on traffic seen by the SPAN port. It seems to work fine on traffic 
>seen on eth0. I have tried using the -i option to specify the interface but 
>that doesn't seem to help. I am trying simple rules like "look for string 
>'ssh' and LOG traffic as well as reject with tcp reset" to troubleshoot.  
> 
> Anyone have any idea what I need to do to have iptables rule to act on 
>SPAN traffic. Tcpdump on eth1 does show traffic that the loaded iptables 
>rules should catch. Am I missing something in the way I have set things up?
> 
> Thanks,
> Siva
> 
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@nicaraguaopensource.com

Re: Iptables rule on span traffic

[Cedric Blancher]

Le vendredi 20 avril 2007 à 12:13 -0700, Krishnamoorthy (Siva) Sivakumar
a écrit :
> Anyone have any idea what I need to do to have iptables rule to act on
> SPAN traffic. Tcpdump on eth1 does show traffic that the loaded
> iptables rules should catch. Am I missing something in the way I have
> set things up?

Check the chain where your rules are created. Like FORWARD or INPUT. And
if it eventualy fits your needs:

	. INPUT for traffic destined to your machine
	. FORWARD for traffic it should route


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: Iptables rule on span traffic

[Oleg]

AFAIK pcap library gets traffic before iptables rule processing (because it's 
promiscous mode), so snort and tcpdump (and any other tool which uses pcap) 
continues to see any traffic (even 'blocked by iptables', because its rules is 
applied after interface pass).

> Anyway, here is my situation.
> I have fwsnort generate iptables rule (based on snort IDS rules) which are
> running on a machine with two interfaces. One of the interfaces (eth1) ?is
> connected to a SPAN port that mirrors traffic on part of our network, this
> interface is in promiscuous mode. The other interface (eth0) is a regular
> addressable interface. For some reason, the iptables rules seem to have no
> effect on traffic seen by the SPAN port.

-- 
Best regards, Oleg

RE: Iptables rule on span traffic

[Krishnamoorthy (Siva) Sivakumar]

The thing is, the machine running the iptables is not really a firewall nor is it "inline". It is simple sitting on the network and sees the traffic mirrored to it from a span port. So it nominally does not forward any packets. 

Here is a sample shell script that fwsnort generates (for a simple rule to block .txt files through port 80 --- just testing, not a meaningful rule). 

############################################
$IPTABLES -A FWSNORT_FORWARD -p tcp --dport 80 -m string --string ".txt" --algo bm -m comment --comment "msg: test; FWS:
0.9.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000002 "

$IPTABLES -A FWSNORT_FORWARD -p tcp --dport 80 -m string --string ".txt" --algo bm -j REJECT --reject-with tcp-reset

$IPTABLES -A FWSNORT_INPUT -p tcp --dport 80 -m string --string ".txt" --algo bm -m comment --comment "msg: test; FWS:0.
9.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000002 "

$IPTABLES -A FWSNORT_INPUT -p tcp --dport 80 -m string --string ".txt" --algo bm -j REJECT --reject-with tcp-reset

###
############ Jump traffic to the fwsnort chains. ############
###
$IPTABLES -I FORWARD 1 -i ! lo -j FWSNORT_FORWARD
$IPTABLES -I INPUT 1 -i ! lo -j FWSNORT_INPUT
$IPTABLES -I OUTPUT 1 -o ! lo -j FWSNORT_OUTPUT
###########################################

When I run this rule, and try to access a .txt file (with a web browser on a different machine) on the machine running the iptables, I get a log message and the file access is blocked. However, if I try to do the same but for a .txt file residing on a third machine (machine running iptables is able to see the related packets on its interface connected to the span port), I see no log or blocking. 

Thanks,
Siva

-----Original Message-----
From: Cedric Blancher [mailto:blancher@cartel-securite.fr] 
Sent: Saturday, April 21, 2007 9:24 AM
To: Krishnamoorthy (Siva) Sivakumar
Cc: netfilter@lists.netfilter.org
Subject: Re: Iptables rule on span traffic

Le vendredi 20 avril 2007 à 12:13 -0700, Krishnamoorthy (Siva) Sivakumar
a écrit :
> Anyone have any idea what I need to do to have iptables rule to act on
> SPAN traffic. Tcpdump on eth1 does show traffic that the loaded
> iptables rules should catch. Am I missing something in the way I have
> set things up?

Check the chain where your rules are created. Like FORWARD or INPUT. And
if it eventualy fits your needs:

	. INPUT for traffic destined to your machine
	. FORWARD for traffic it should route


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: Iptables rule on span traffic

[Pascal Hambourg]

Hello,

Krishnamoorthy (Siva) Sivakumar a écrit :
> 
> When I run this rule, and try to access a .txt file (with a web
> browser on a different machine) on the machine running the iptables, I
> get a log message and the file access is blocked. However, if I try to
> do the same but for a .txt file residing on a third machine (machine
> running iptables is able to see the related packets on its interface
> connected to the span port), I see no log or blocking. 

As Cédric said, packets which are not destined to the box do not go 
through the INPUT chains. And since the box is not forwarding traffic, 
these packets are dropped at the input routing decision stage and do not 
go through the FORWARD chains either.

RE: Iptables rule on span traffic

[Krishnamoorthy (Siva) Sivakumar]

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg
Sent: Saturday, April 21, 2007 2:20 PM
To: netfilter@lists.netfilter.org
Subject: Re: Iptables rule on span traffic

Hello,

Krishnamoorthy (Siva) Sivakumar a écrit :
> 
> When I run this rule, and try to access a .txt file (with a web
> browser on a different machine) on the machine running the iptables, I
> get a log message and the file access is blocked. However, if I try to
> do the same but for a .txt file residing on a third machine (machine
> running iptables is able to see the related packets on its interface
> connected to the span port), I see no log or blocking. 

As Cédric said, packets which are not destined to the box do not go 
through the INPUT chains. And since the box is not forwarding traffic, 
these packets are dropped at the input routing decision stage and do not 
go through the FORWARD chains either.

[Siva:] 
Then is it true that for iptables rules to be effective (fwsnort generated or otherwise), the machine must be "inline". Is there no way to implement iptables rules on "mirrored" traffic. 

Siva

Re: Iptables rule on span traffic

[Martijn Lievaart]

Krishnamoorthy (Siva) Sivakumar wrote:
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg
> Sent: Saturday, April 21, 2007 2:20 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Iptables rule on span traffic
>
> Hello,
>
> Krishnamoorthy (Siva) Sivakumar a écrit :
>
>> When I run this rule, and try to access a .txt file (with a web
>> browser on a different machine) on the machine running the iptables, I
>> get a log message and the file access is blocked. However, if I try to
>> do the same but for a .txt file residing on a third machine (machine
>> running iptables is able to see the related packets on its interface
>> connected to the span port), I see no log or blocking.
>>
>
> As Cédric said, packets which are not destined to the box do not go
> through the INPUT chains. And since the box is not forwarding traffic,
> these packets are dropped at the input routing decision stage and do not
> go through the FORWARD chains either.
>
> [Siva:]
> Then is it true that for iptables rules to be effective (fwsnort generated or otherwise), the machine must be "inline". Is there no way to implement iptables rules on "mirrored" traffic.
>
> Siva
>
>

You could try to turn on forwarding and block all traffic that makes it
through the snort rules.

HTH,
M4

RE: Iptables rule on span traffic

[Krishnamoorthy (Siva) Sivakumar]

-----Original Message-----
From: Martijn Lievaart [mailto:m@rtij.nl] 
Sent: Sunday, April 22, 2007 10:25 PM
To: Krishnamoorthy (Siva) Sivakumar
Cc: Pascal Hambourg; netfilter@lists.netfilter.org
Subject: Re: Iptables rule on span traffic

Krishnamoorthy (Siva) Sivakumar wrote:
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg
> Sent: Saturday, April 21, 2007 2:20 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Iptables rule on span traffic
>
> Hello,
>
> Krishnamoorthy (Siva) Sivakumar a écrit :
>   
>> When I run this rule, and try to access a .txt file (with a web
>> browser on a different machine) on the machine running the iptables, I
>> get a log message and the file access is blocked. However, if I try to
>> do the same but for a .txt file residing on a third machine (machine
>> running iptables is able to see the related packets on its interface
>> connected to the span port), I see no log or blocking. 
>>     
>
> As Cédric said, packets which are not destined to the box do not go 
> through the INPUT chains. And since the box is not forwarding traffic, 
> these packets are dropped at the input routing decision stage and do not 
> go through the FORWARD chains either.
>
> [Siva:] 
> Then is it true that for iptables rules to be effective (fwsnort generated or otherwise), the machine must be "inline". Is there no way to implement iptables rules on "mirrored" traffic. 
>
> Siva
>
>   

You could try to turn on forwarding and block all traffic that makes it 
through the snort rules.

HTH,
M4

[Siva:] 
Can you explain in more detail (sorry I am a novice)? How do you turn on forwarding? Does this require the iptables machine to be inline (in addition to a regular firewall/router that does the actual forwarding)? 

Thanks,
Siva

Re: Iptables rule on span traffic

[Martijn Lievaart]

Krishnamoorthy (Siva) Sivakumar wrote:
> You could try to turn on forwarding and block all traffic that makes it 
> through the snort rules.
>
> HTH,
> M4
>
> [Siva:] 
> Can you explain in more detail (sorry I am a novice)? How do you turn on forwarding? Does this require the iptables machine to be inline (in addition to a regular firewall/router that does the actual forwarding)? 
>
>   

http://www.google.nl/search?q=linux+forwarding   :-)

HTH,
M4

RE: Iptables rule on span traffic

[Krishnamoorthy (Siva) Sivakumar]

That was easy :-) I will try that and see how it goes. 

Thanks,
Siva

-----Original Message-----
From: Martijn Lievaart [mailto:m@rtij.nl] 
Sent: Sunday, April 22, 2007 10:45 PM
To: Krishnamoorthy (Siva) Sivakumar
Cc: Pascal Hambourg; netfilter@lists.netfilter.org
Subject: Re: Iptables rule on span traffic

Krishnamoorthy (Siva) Sivakumar wrote:
> You could try to turn on forwarding and block all traffic that makes
it 
> through the snort rules.
>
> HTH,
> M4
>
> [Siva:] 
> Can you explain in more detail (sorry I am a novice)? How do you turn
on forwarding? Does this require the iptables machine to be inline (in
addition to a regular firewall/router that does the actual forwarding)? 
>
>   

http://www.google.nl/search?q=linux+forwarding   :-)

HTH,
M4

RE: Iptables rule on span traffic

[Krishnamoorthy (Siva) Sivakumar]

The objective is to block of "bad traffic" with the Linux box running iptables rules not being inline (but able to see the relevant traffic off of a span port). Essentially achieve what fwsnort/iptables does for IPS (not just IDS), but without being inline. Logging the "bad traffic" is only incidental. 

Siva

-----Original Message-----
From: hareram [mailto:hareram@sol.net.in] 
Sent: Wednesday, April 25, 2007 6:56 PM
To: Krishnamoorthy (Siva) Sivakumar
Subject: Re: Iptables rule on span traffic

Hi


i got your explanation

what is the object to achieve
only port mirror traffic and log to Linux box?

or you looking some IPS/IDS ? is the Linux box does only logging ?
or you looking to route the traffic ?

if you looking to statistics only to this box
look at NTOP, will give you better than this.

ram
----- Original Message ----- 
From: "Krishnamoorthy (Siva) Sivakumar" <ksivakumar@packetmotion.com>
To: "hareram" <hareram@sol.net.in>
Sent: Thursday, April 26, 2007 3:35 AM
Subject: RE: Iptables rule on span traffic



The switch is a DELL powerconnect 2708 switch with 8 ports. Ports 1-4 are 
mirrored onto port 8 (where eth0 is connected). Port 1 is connected to a 
10.0.3.10 machine. Ports 2, 4 are connected to two 10.0.4.* machines. Rest 
of the ports are unused.


Here is a little ASCII art of the connections.

---------------------------------
|                                                  |
|               eth0 (11.0.3.91)          |<------->  Span port
|                                                  |
|     Machine running IPtables       |
|                                                  |
|               eth1 (10.0.3.12)          |<------->  Regular switch port
|                                                  |
|                                                  |
---------------------------------

I enabled IP forwarding using:
echo 1 > /proc/sys/net/ipv4/ip_forward

Before doing that, I ran the following shell script to load the iptables 
rules.

#######################
$IPTABLES -A FWSNORT_FORWARD -p tcp --dport 80 -m string --string 
".txt" --algo bm -m comment --comment "msg: test; FWS:0.9.0;" -j 
LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000002 "

$IPTABLES -A FWSNORT_FORWARD -p tcp --dport 80 -m string --string 
".txt" --algo bm -j REJECT --reject-with tcp-reset

$IPTABLES -A FWSNORT_INPUT -p tcp --dport 80 -m string --string 
".txt" --algo bm -m comment --comment "msg: test; FWS:0.9.0;" -j 
LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000002 "

$IPTABLES -A FWSNORT_INPUT -p tcp --dport 80 -m string --string 
".txt" --algo bm -j REJECT --reject-with tcp-reset

$IPTABLES -A FWSNORT_FORWARD -p all -j DROP
######################

I added the last rule at the end so that any packet forwarded from the span 
port and not caught (and rejected) by the earlier rules does not actually 
make it out of the other interface, causing an infinite loop.

It still seems like the iptables rules have no effect on the traffic on eth0 
(connected to span port) but only on eth1. There was no tcp reset sent in 
response to accessing a .txt file nor was there a corresponding a log entry 
when I checked using the dmesg command.

For traffic directed at the machine on eth1, there was both a log and a tcp 
reset.

Anyone have any ideas to try, please let me know.

Siva

-----Original Message-----
From: hareram [mailto:hareram@sol.net.in]
Sent: Monday, April 23, 2007 3:35 AM
To: Krishnamoorthy (Siva) Sivakumar
Subject: Re: Iptables rule on span traffic

Its also need a proper config need at Cisco Switch Side

kindly post your Switch config

and how does the connections diagram, will be able to give you proper
deployement

ram
----- Original Message ----- 
From: "Krishnamoorthy (Siva) Sivakumar" <ksivakumar@packetmotion.com>
To: "Martijn Lievaart" <m@rtij.nl>
Cc: <netfilter@lists.netfilter.org>; "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org>
Sent: Monday, April 23, 2007 11:11 AM
Subject: RE: Iptables rule on span traffic



-----Original Message-----
From: Martijn Lievaart [mailto:m@rtij.nl]
Sent: Sunday, April 22, 2007 10:25 PM
To: Krishnamoorthy (Siva) Sivakumar
Cc: Pascal Hambourg; netfilter@lists.netfilter.org
Subject: Re: Iptables rule on span traffic

Krishnamoorthy (Siva) Sivakumar wrote:
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal
> Hambourg
> Sent: Saturday, April 21, 2007 2:20 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Iptables rule on span traffic
>
> Hello,
>
> Krishnamoorthy (Siva) Sivakumar a écrit :
>
>> When I run this rule, and try to access a .txt file (with a web
>> browser on a different machine) on the machine running the iptables, I
>> get a log message and the file access is blocked. However, if I try to
>> do the same but for a .txt file residing on a third machine (machine
>> running iptables is able to see the related packets on its interface
>> connected to the span port), I see no log or blocking.
>>
>
> As Cédric said, packets which are not destined to the box do not go
> through the INPUT chains. And since the box is not forwarding traffic,
> these packets are dropped at the input routing decision stage and do not
> go through the FORWARD chains either.
>
> [Siva:]
> Then is it true that for iptables rules to be effective (fwsnort generated
> or otherwise), the machine must be "inline". Is there no way to implement
> iptables rules on "mirrored" traffic.
>
> Siva
>
>

You could try to turn on forwarding and block all traffic that makes it
through the snort rules.

HTH,
M4

[Siva:]
Can you explain in more detail (sorry I am a novice)? How do you turn on
forwarding? Does this require the iptables machine to be inline (in addition
to a regular firewall/router that does the actual forwarding)?

Thanks,
Siva

RE: Iptables rule on span traffic

[Krishnamoorthy (Siva) Sivakumar]

I can understand the inability to send (reset) packets out of the span
interface. But what I am puzzled with is that there is no log of the
said packets either. 

Siva
________________________________________
From: Iceman [mailto:iceman.linux@gmail.com] 
Sent: Thursday, April 26, 2007 2:57 AM
To: Krishnamoorthy (Siva) Sivakumar
Subject: Re: Iptables rule on span traffic

IMHO sometimes, switches and other Layer2/3 network devices block sent
traffic on SPAN port; this could explain
because tcp-reset fail.

Iceman