iptables promisc mode

iptables promisc mode

[Magnus Månsson]

Hi, it seems like a couple of people have asked for this before but I 
havent seen any answers.

I want iptables to get packages that do not belong to the machine, 
packages that are directed to others but came to me due to promisc mode. 
I have found a patch from November 2001 that seems to do what I want but 
after manually trying to patch it in my userspace utils segfaults. I am 
not a programmer so no surprise I didnt manage. The old patch is here: 
http://idea.hosting.lv/a/iptables-promisc/


So, why do I want this? (maybe you can tell me that I should do it in 
another way)
I am having a routing switch that is mirroring the internet traffic into 
2 interfaces in a linux machine, this machine is for example running 
ntop to look at what people are doing (that they shouldnt do). One of 
the things I/we are interested to find out is if people uses peer to 
peer protocols like Direct Connect / Bittorrent. My idea was to solve 
this with iptables layer7 filter (l7-filter.sourceforge.net), ulogd and 
mysql. But since I cant build ULOG rules that catch the packages I am stuck.

The reason to choose iptables is that I can store all the information 
about the protocols I am interested in. Ntop doesnt have the history 
that I want.


I am very thankful for whatever help/directions I can get.

--
Magnus Månsson

Re: iptables promisc mode

[R. DuFresne]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 3111 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Nov 2006, Magnus Månsson wrote:

> Hi, it seems like a couple of people have asked for this before but I havent 
> seen any answers.
>
> I want iptables to get packages that do not belong to the machine, packages 
> that are directed to others but came to me due to promisc mode. I have found 
> a patch from November 2001 that seems to do what I want but after manually 
> trying to patch it in my userspace utils segfaults. I am not a programmer so 
> no surprise I didnt manage. The old patch is here: 
> http://idea.hosting.lv/a/iptables-promisc/
>
>
> So, why do I want this? (maybe you can tell me that I should do it in another 
> way)
> I am having a routing switch that is mirroring the internet traffic into 2 
> interfaces in a linux machine, this machine is for example running ntop to 
> look at what people are doing (that they shouldnt do). One of the things I/we 
> are interested to find out is if people uses peer to peer protocols like 
> Direct Connect / Bittorrent. My idea was to solve this with iptables layer7 
> filter (l7-filter.sourceforge.net), ulogd and mysql. But since I cant build 
> ULOG rules that catch the packages I am stuck.
>
> The reason to choose iptables is that I can store all the information about 
> the protocols I am interested in. Ntop doesnt have the history that I want.
>
>
> I am very thankful for whatever help/directions I can get.
>


As long as the firewall machine that runs iptables is the gateway from the 
lan to the internet and vice versa, this is already happening, iptables 
sees all the traffic in both directions, and can act on it was well, layer 
4 and above.  Nothing to add, no patch required.  But, to have details in 
the logs of what is passing requires that you build and configure your 
rules properly, with log statements in your case being well defined and 
covering a number of common protocol ports.  One issue you will face is 
that most of the traffic you are trying to monitor, is not well defined 
nor restricted to any common ports, which is whyyou have faced issues in 
preventing the traffic and even with a layer 7 module.

Plan on having at least one person devoted to nothing but monitoring 
traffic and logs for sometime to get a handle on what your users are 
abusing.

Of course common theory is that this kind of abuse is best handled at the 
HR level, a frewall is not the best place to hadle this kind of policy 
issue.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFW3Ttst+vzJSwZikRAqJzAKDVILcPhWyOSbHKYGhpUHEO63noPwCfXWu9
sjOHDE6m31Vg2OX4EyIP5UE=
=nVCS
-----END PGP SIGNATURE-----

Re: iptables promisc mode

[Magnus Månsson]

>
> As long as the firewall machine that runs iptables is the gateway from 
> the lan to the internet and vice versa, this is already happening, 
> iptables sees all the traffic in both directions, and can act on it 
> was well, layer 4 and above.  Nothing to add, no patch required.  But, 
> to have details in the logs of what is passing requires that you build 
> and configure your rules properly, with log statements in your case 
> being well defined and covering a number of common protocol ports.  
> One issue you will face is that most of the traffic you are trying to 
> monitor, is not well defined nor restricted to any common ports, which 
> is whyyou have faced issues in preventing the traffic and even with a 
> layer 7 module.
>
> Plan on having at least one person devoted to nothing but monitoring 
> traffic and logs for sometime to get a handle on what your users are 
> abusing.
>
> Of course common theory is that this kind of abuse is best handled at 
> the HR level, a frewall is not the best place to hadle this kind of 
> policy issue.
>
> Thanks,
>
> Ron DuFresne
But since my firewall are two redundant Cisco Pix 515E I dont use any 
linux machine as a gateway, that's why I have the port mirroring in the 
routing switch. And the goal is not to stop the "abusing" in the 
firewall, only to detect and log it for later investigation when we feel 
like we have the need.

But thanks for the answer. .)

Re: iptables promisc mode

[Victor Julien]

Magnus Månsson wrote:
>
>>
>> As long as the firewall machine that runs iptables is the gateway
>> from the lan to the internet and vice versa, this is already
>> happening, iptables sees all the traffic in both directions, and can
>> act on it was well, layer 4 and above.  Nothing to add, no patch
>> required.  But, to have details in the logs of what is passing
>> requires that you build and configure your rules properly, with log
>> statements in your case being well defined and covering a number of
>> common protocol ports.  One issue you will face is that most of the
>> traffic you are trying to monitor, is not well defined nor restricted
>> to any common ports, which is whyyou have faced issues in preventing
>> the traffic and even with a layer 7 module.
>>
>> Plan on having at least one person devoted to nothing but monitoring
>> traffic and logs for sometime to get a handle on what your users are
>> abusing.
>>
>> Of course common theory is that this kind of abuse is best handled at
>> the HR level, a frewall is not the best place to hadle this kind of
>> policy issue.
>>
>> Thanks,
>>
>> Ron DuFresne
> But since my firewall are two redundant Cisco Pix 515E I dont use any
> linux machine as a gateway, that's why I have the port mirroring in
> the routing switch. And the goal is not to stop the "abusing" in the
> firewall, only to detect and log it for later investigation when we
> feel like we have the need.
>
> But thanks for the answer. .)
>
Have you looked at tcpdump or snort? It can do the same thing: monitor
and log in promiscius mode...

Regards,
Victor

Re: iptables promisc mode

[Magnus Månsson]

> Have you looked at tcpdump or snort? It can do the same thing: monitor
> and log in promiscius mode...
>
> Regards,
> Victor
>
>   
Neither of them give me the possibility to log only chosen peer to peer traffic (torrent for example) what I know. With our internet connection and usage there is no way I can log all the data. But thanks for the suggestion.

Re: iptables promisc mode

[Alan Ezust]

[-- Attachment #1.1: Type: text/plain, Size: 508 bytes --]


Here is a patchlet for promisc-hook that we use in-house. Enjoy!

--alan


On Wednesday 15 November 2006 12:39, Magnus Månsson wrote:
>
> Neither of them give me the possibility to log only chosen peer to peer
> traffic (torrent for example) what I know. With our internet connection and
> usage there is no way I can log all the data. But thanks for the
> suggestion.

-- 
Alan Ezust            www.presinet.com
Presinet, inc         alan.ezust@presinet.com
           Victoria, BC,Canada

[-- Attachment #1.2: promisc-hook.tar.gz --]
[-- Type: application/x-tgz, Size: 2439 bytes --]

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]