Help with iptables/DNAT/forwarding

lohb1ac · 11-29-2005, 04:20 PM

Hello,

I'm trying to set up a linux box that is a bridge running snort that redirects traffic (based on snort sigs) to a local webserver. I have snort and the redirection script working fine, I think I'm having trouble with the iptables rules. I have three interfaces in this box eth0 is the only one with an ip, eth1 and eth2 belong to the bridge (br0). Neither eth1, eth2, or br0 have an ip associated with them. The bridge works fine without any iptables rules - well at least with them all set to ACCEPT.

With the rules shown below, I would think that any web traffic coming into the bridge from the "infected" host 172.16.110.139 would be redirected to the local webserver. The webserver has mod_rewrite set up to show the same page no matter what url is passed to it. It's also set to bind to and listen on 127.0.0.1.

# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
DROP all -- 172.16.110.139 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain icmp-flood (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain syn-flood (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/sec burst 150
DROP all -- 0.0.0.0/0 0.0.0.0/0

# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 172.16.110.139 0.0.0.0/0 tcp dpt:80 to:127.0.0.1:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

When I try to view a website from 172.16.110.139 the browser just hangs. There is not even an entry made in apaches log files (loglevel debug). Here's what tcpdump shows for a session:

#tcpdump -n -nn -i lo
16:10:06.037932 IP 172.16.110.139.4047 > 127.0.0.1.80: S 3822960001:3822960001(0) win 65535 <mss 1460,nop,nop,sackOK>
...repeat...

No resets are ever sent to the client and apache never seems to see any attempted connections. Am I doing something wrong trying to access 127.0.0.1 from the bridge?

I can remove the DROP rule from the FORWARDING chain and redirect the web traffic to another web server, but the purpose of this box is to contain "bad" traffic.

I can hit the local webserver from the console on the bridge (works fine this way), here's the tcpdump and apache log entries for that:
16:15:14.167087 IP 127.0.0.1.55233 > 127.0.0.1.80: S 2639549807:2639549807(0) win 32767 <mss 16396,sackOK,timestamp 1092232 0,nop,wscale 2>
16:15:14.167112 IP 127.0.0.1.80 > 127.0.0.1.55233: S 2645960540:2645960540(0) ack 2639549808 win 32767 <mss 16396,sackOK,timestamp 1092232 1092232,nop,wscale 2>
16:15:14.167128 IP 127.0.0.1.55233 > 127.0.0.1.80: . ack 1 win 8192 <nop,nop,timestamp 1092232 1092232>
16:15:14.171047 IP 127.0.0.1.55233 > 127.0.0.1.80: P 1:216(215) ack 1 win 8192 <nop,nop,timestamp 1092233 1092232>
16:15:14.171107 IP 127.0.0.1.80 > 127.0.0.1.55233: . ack 216 win 8192 <nop,nop,timestamp 1092233 1092233>
16:15:14.171599 IP 127.0.0.1.80 > 127.0.0.1.55233: P 1:288(287) ack 216 win 8192 <nop,nop,timestamp 1092233 1092233>
16:15:14.171615 IP 127.0.0.1.55233 > 127.0.0.1.80: . ack 288 win 8192 <nop,nop,timestamp 1092233 1092233>
16:15:14.171699 IP 127.0.0.1.80 > 127.0.0.1.55233: F 288:288(0) ack 216 win 8192 <nop,nop,timestamp 1092233 1092233>
16:15:14.183028 IP 127.0.0.1.55233 > 127.0.0.1.80: F 216:216(0) ack 289 win 8192 <nop,nop,timestamp 1092236 1092233>
16:15:14.183045 IP 127.0.0.1.80 > 127.0.0.1.55233: . ack 217 win 8192 <nop,nop,timestamp 1092236 1092236>

==> /var/log/apache/access_log <==
127.0.0.1 - - [29/Nov/2005:16:15:14 -0600] "GET / HTTP/1.0" 200 42

I wouldn't mind using snort-inline for this but that setup seems to only drop traffic and not redirect it.

Please help me point out whatever bonehead mistakes I'm making.

Thanks in advance.

lohb1ac · 11-30-2005, 08:30 AM

Hmm, no takers.

Ok, let's start small. Is it possible to use DNAT/SNAT in PREROUTING/POSTROUTING chains to reroute traffic from a bridge or other interface to 127.0.0.1?

jmorse · 12-05-2005, 08:48 AM

You can't redirect a host to 127.0.0.1, because that doesn't make sense...

What you probably want to do, is to 'REDIRECT' the packets to your webserver.
'REDIRECT' is an iptables target, and is enabled by 'CONFIG_IP_NF_TARGET_REDIRECT' in your kernel, it can be used in the PREROUTING or OUTPUT chains.

Example:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d! <IPADDRESS_OF_ETH0> -s <INFECTED_MACHINE> -j REDIRECT

This assumes that eth0 has IPADDRESS_OF_ETH0, and is on the same network as INFECTED_MACHINE. [obviously don't include the triangular brackets]