Is there any way to do an exception statement in IPtables for a redirection rule? ex// redirect any port 80 traffic from IP 10.1.1.100 to 10.1.1.2 -unless- it is trying to reach a website at 10.1.1.3.

scenario.. automated script using nessus detects a windows box with high risk patches missing. The script inserts that IP into IPtables saying rediect anything port 80 from this IP to this information web page as well as dropping all other traffic from that IP. On that informative webpage I will explain to them why they have been redirected their and give instructions on going to microsoft windows update. Well, no can do with the rediect statement unless it can allow an exception for windowsupdate related sites.

I believe what I'm asking may exceed the limitations of IPtables but it never hurts to ask.

btw... am i reinventing any known projects with that little scenario?

thx

I'm far from an iptables expert, but the iptable man pages state that you can specify a ! to negate/exclude source/destination/protocols. i.e. -s !192.168.9.2, !icmp, etc...

See: man iptables

I'm rusty on iptables, but perhaps something like

iptables -t nat PREROUTING -s 10.1.1.100 -d ! 10.1.1.3 -j DNAT --to-destination 10.1.1.2:80

might do the trick. I'm not sure if -s and -d work in the prerouting chain, but I think they do, so just try it. man iptables if you want to check.

Note that if your webserver on 10.1.1.2 doesn't run on port 80 you will have to change the above. eg you might have 10.1.1.2:8000. Note also that you DO have to specify a port here, because your client machine may be doing some ftp or something else instead, and if you don't specify the port, it will be left unchanged, meaning your webserver will recieve a request at port 21.

Good luck, reetep.


PS would you be kind enough to share your scripts and/or your page of advice? I would love to be able to make use of them.

How'd you get on BorderX? Hope you achieved what you wanted.

I understand if you don't want to share your scripts and or html, because I'm sure you've put a lot of work in. Perhaps it's not your work to share.

But if you are willing, I'd love to be able to make use of them. Would you mind replying to let me know one way or the other? You are perfectly entitled to say "no" !

Well this Its still in a very conceptual stage and Im working alone on it so its pretty narrow minded.. Im not a very good programmer, i do network configurations, but its working well in my testlab so far. Heres what I got... and yes, there are a lot of prerequisits how you have things setup on your system. Plus you have to know how to finetune nessus to only probe for certain things so you dont risk locking peoples computers up. If this gets running smoothly with all the little kinks worked out, it could potentially be unleashed on a 2500+ node network. We'll see how it goes....

Feel free to critisize constructively. I'm sure there is plenty to dish out =)

#!/usr/bin/perl -w

#############################################################
# First open the dhcp messages and create a target file #
# using a list of IPs from the "DHCPACK on xxx.xxx.xxx.xxx" #
# This assumes you have syslog set to doublelog your dhcp #
# msgs to a disposable file, dhcpd.log.tmp. #
#############################################################

`grep DHCPACK /var/log/dhcpd.log.tmp | cut -d' ' -f8 | sort -u >> /usr/local/scripts/nessus-script/targets`;

######################################################
# Launch the nessus client using the target file and #
# create a result file with all the nessus warnings. #
# Option to use the result file create an html page. #
######################################################

`nessus -q -T nbe localhost 1241 admin admin /usr/local/scripts/nessus-script/targets /usr/local/scripts/nessus-script/results.nbe`;

#`nessus -i /usr/local/scripts/nessus-script/results.nbe -o /var/www/html/vulnerable.html`;

##################################################
# Parse through the results file and extract IPs #
# that have "Risk factor : High" vulnerabilities #
# and place them into the file vulnerable #
##################################################

`grep "Risk factor : High" results.nbe | cut -d'|' -f3 | sort -u >> /usr/local/scripts/nessus-script/vulnerable`;

########################################################
# Extract IPs from the Vulnerable file and add them #
# to iptables with the appropriate redirect statements #
########################################################

open (FIREWALL, ">>/etc/sysconfig/rc.firewall");
open (VULNERABLE, "/usr/local/scripts/nessus-script/vulnerable");

$ip=<VULNERABLE>;
if ($ip) {chomp $ip;}
$blocking="0";

### loop this process until $ip is nothing ###
while ($ip) {

### check to see if $ip has already been blocked ###
$blocked=`grep $ip /usr/local/scripts/nessus-script/backup/blocked`;
### If $ip is already blocked get next IP and restart while loop ###
if ($blocked)
{
$ip=<VULNERABLE>;
if ($ip) {chomp $ip;}
}

### Else block it and grab the next $ip before looping again ###
else
{
print FIREWALL "### $ip ###\n";
print FIREWALL "\$IPTABLES -t nat -A PREROUTING -s $ip --proto tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80\n";
print FIREWALL "\$IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport 1:52 -j DROP\n";
print FIREWALL "\$IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport 54:79 -j DROP\n";
print FIREWALL "\$IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport 81:65535 -j DROP\n";
print FIREWALL "#####################\n\n";

$ip=<VULNERABLE>;
if ($ip) {chomp $ip;}
$blocking="yes";
}
}

close (FIREWALL);
close (VULNERABLE);

####################
# Restart Firewall #
####################

`/etc/sysconfig/rc.firewall restart`;

#################
# Store Results #
#################

$date=`date`;
chomp $date;

### Add the nessus results to the hostorical nessus log file ###
open (BACKUP, ">>/usr/local/scripts/nessus-script/backup/results.nbe.old");
print BACKUP "\n########## $date ##########\n\n";
close (BACKUP);
`cat /usr/local/scripts/nessus-script/results.nbe >>/usr/local/scripts/nessus-script/backup/results.nbe.old`;

### If anything was blocked update the blocked file ###
if ($blocking eq "yes")
{
open (BLOCKED, ">>/usr/local/scripts/nessus-script/backup/blocked");
print BLOCKED "\n########## $date ##########\n\n";
close (BLOCKED);
`cat /usr/local/scripts/nessus-script/vulnerable >>/usr/local/scripts/nessus-script/backup/blocked`;
}

################################
# clean up for the next round! #
################################

`cp /dev/null /usr/local/scripts/nessus-script/results.nbe`;
`cp /dev/null /usr/local/scripts/nessus-script/targets`;
`cp /dev/null /usr/local/scripts/nessus-script/vulnerable`;
`cp /dev/null /var/log/dhcpd.log.tmp`;

The !exception statements yall have mentioned should help clean the iptable statements up a lot on the drop statements... hopefully i can get it to still allow traffic to windows update too so a block doesnt have to be removed in order for them to get updates. I want to implement an automated removal process as well... which i already have a few ideas brewing for.. too much nastiness on the nets to dedicate a lot of my time to this project right now.

Anyways I haven't made any mods on the code in a few days. I'm gonna jump back into it this afternoon when work slows down and see what I can do to clean it up a bit more.

If you replace 10.1.1.3 below with the ip address for http://windowsupdate.microsoft.com it will let traffic through to that site only without redirecting it. I don't know how the update process works when you connect - there may be some ports you have to leave open. Maybe you know the answer to this already.

iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.100 -d ! 10.1.1.3 -j DNAT --to-destination 10.1.1.2:80

just do for example
ie if you type iptables -D followed by a chain and a rule, it will look for that rule and delete it from the specified chain, wherever it may be.

got the redirect statement nailed i believe...

the following statement will redirect any http traffic originating from 192.168.0.150 -unless- it is hitting the class B network 207.46.0.0. That class B network houses microsoft.com's domain.. or atleast a good portion of it. The user is redirected to the information page which explains why they have been blocked and included i link to windows updates which the excpetion rule allows them to go get their patches.

IPTABLES -t nat -A PREROUTING -s 192.168.0.150 -d ! 207.46.0.0/16 --proto tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80

included with that statement are the drop statements to prohibit any other traffic originating from that computer.

## dont drop port 80 traffic or itll kill the redirect statement... but drop all other tcp
IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport ! 80 -j DROP

## dont drop dns or they wont be able to get redirected to begin with... but drop all other udp
IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto udp --dport ! 53 -j DROP

## drop all ICMP
IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto icmp -j DROP



Still got a long ways to go.. this project might as well go full blown. Ive got a ton of ideas to throw into the mix... nessus for catching vulnerable computers, snort to catch infected computers... and perhaps some tcpdump for similar purposes.