need help : iptables problems? arp spoofing

romeo_tango · 03-07-2007, 10:09 PM

Hello,

I am new to iptables and i just succeed in creating a simple rule in my system.

I try to create a rule so that with just an IP public, let's say it is 202.x.y.140, so that i could accessed another 5 servers in the same internal network (10.x.x.0/24).

The firewall itself (Linux RHEL 4.3 with iptables 1.2.11) is on 10.x.x.1.

The rule is so that I could ssh directly to the 10.x.x.2 box using this line:

Code:

ssh 202.x.y.140 -l user -p 2202 (for 10.x.x.2)
ssh 202.x.y.140 -l user -p 2203 (for 10.x.x.3)
ssh 202.x.y.140 -l user -p 2204 (for 10.x.x.4)
and so on

And it works! But there is something strange happening lately. When it was reaching a 10 servers, the 10.x.x.1 server or the firewall, couldn't ping the 10.x.x.10.

When I open 2 terminal in the firewall box, i tried ping 10.x.x.10 and in the other one, I do tcpdump | grep "10.x.x.10" and found this strange line..

Code:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:23:51.564852 arp who-has 10.x.x.10 tell 202.x.y.150
10:23:51.564991 arp reply 10.x.x.10 is-at aa:bb:cc:dd:ee:05
10:23:51.565004 IP 202.x.y.150 > 10.x.x.10: icmp 64: echo request seq 0
10:23:51.567606 arp reply 10.x.x.10 is-at ff:gg:hh:ii:jj:00
10:23:53.563836 IP 202.x.y.150 > 10.x.x.10: icmp 64: echo request seq 2
10:23:54.563941 IP 202.x.y.150 > 10.x.x.10: icmp 64: echo request seq 3
10:23:55.566020 IP 202.x.y.150 > 10.x.x.10: icmp 64: echo request seq 4
10:23:56.565168 IP 202.x.y.150 > 10.x.x.10: icmp 64: echo request seq 5

in the first terminal, the ping got no reply at all but in the 2nd one, we could see that the reply is coming from the 202.x.y.150 which is my other server (Win2K).

And I notice that the first arp reply is coming from the correct mac address. But why does the second reply the mac address is changed?

Could somebody tell me, whether my configuration is incorrect or is there is any other issues that I don't know yet regarding this arp spoof?

Also whenever this weirdness happens, the Win2K box always got an IP Conflict error saying that the machine is detecting IP conflict with a machine on MAC Address xx:xx:xx:xx:xx which is the firewall!

How could the 202.x.y.140 conflicting with 202.x.y.150? i am very confused.

Any suggestion?

Capt_Caveman · 03-08-2007, 06:34 PM

I'd start by doing a ping to your networks broadcast IP, wait a minute and then look at the arp table (the broadcast ping gets all the systems to reply and populate the arp table). Then verify that all IP-MAC mappings are correct. Have any of the IPs been modified lately? Could one be misconfigured with the same IP as another machine?

I'd also download/install arpstar or arpwatch to get alerts when any further arp oddness occurs. Having internal machines pretending to be the firewall *could* possibly be a serious issue (like someone try to perform a MiTM attack). I'd also thoroughly check each machine involved for anything strange (like finding ettercap). For Windows systems, make sure AV is updated and run a scan.

Quote:

I try to create a rule so that with just an IP public, let's say it is 202.x.y.140, so that i could accessed another 5 servers in the same internal network (10.x.x.0/24).

I'm kind of unsure of what you are saying here. Could you describe it in more detail and show the actual rule you are using (you can obfuscate public IPs)?

romeo_tango · 03-08-2007, 08:58 PM

Quote:

Originally Posted by Capt_Caveman

I'd start by doing a ping to your networks broadcast IP, wait a minute and then look at the arp table (the broadcast ping gets all the systems to reply and populate the arp table). Then verify that all IP-MAC mappings are correct. Have any of the IPs been modified lately? Could one be misconfigured with the same IP as another machine?

I'm sure that I don't modify any IP and there is no two machine or more that using the same IP.

Quote:

Originally Posted by Capt_Caveman

I'd also thoroughly check each machine involved for anything strange (like finding ettercap). For Windows systems, make sure AV is updated and run a scan.

I'm sorry, I kinda don't understand this part. What does the ettercap in this line means?

Quote:

Originally Posted by Capt_Caveman

I'm kind of unsure of what you are saying here. Could you describe it in more detail and show the actual rule you are using (you can obfuscate public IPs)?

hmm.. Here is part of the rule in the firewall box :

Code:

INET_IP="202.x.y.140"
INET_IFACE="eth0"

LAN_IP="10.x.x.1"
LAN_IP_RANGE="10.x.x.0/24"
LAN_IFACE="eth1"

SERVER2_IP="10.x.x.2"
SERVER2_SSH="2202"

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport $SERVER2_SSH -j allowed

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE --dst $INET_IP -p tcp --dport $SERVER2_SSH -j DNAT --to-destination $SERVER2_IP:22

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d $SERVER2_IP --dport 22 -j allowed

The point from the rule is so that I can access 10.x.x.2 which doesn't have any public IP's using the firewall IP's port 2202 which will be redirected to the IP 10.x.x.2 port 22.

in another word, the ssh 202.x.y.140 -p 2022 -l user will bring me to the 10.x.x.2:22.

live_dont_exist · 03-09-2007, 01:00 AM

Didnt go through the complete specifics of teh thread... sorry

but I do know this. Incase you're doing a connection to another IP for the first time or after a long time the ARP cache on your machine would have probably expired. Hence it does an ARP lookup to try and get the MAC address of the destination machine. Once it does this it initiates the telnet/ssh connection.

However do look through what Capt. Caveman has said as well coz I didnt read the whole thread

.

Cheers
Arvind

romeo_tango · 03-12-2007, 06:26 AM

hmm.. i'm still kinda confused.. i read about the arp already and trying to search what can I do about arp in my machine. I do arping and the reply comes from the correct MAC but when I do the ping command to a few servers, there are no replies at all..

live_dont_exist · 03-12-2007, 06:43 AM

You might want to back up your iptables config, then add a rule right at the top explicitly allowing all traffic from your boxto a particular server and then try pinging the same.

If this isnt working then you've isolated that the problem is not with your firewall.

Now try and ping your servers from some other desktop. Do they respond? If YES then its obviously something on your box thats stopping traffic from going out.If NOT then I'd start Ethereal(Wireshark) - A great packet sniffer available here. This will give you an idea on where your packets are going when you try and ping your servers.

If the reply is coming back from the correct MAC then there's obviously no IP-MAC resolution problems. Clear out the ARP cache on your box , any switches in between and the destination server if you have access and try again.

Post back if still trouble.

Cheers
Arvind