LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-15-2004, 11:44 AM   #1
BoarderX
LQ Newbie
 
Registered: Jul 2004
Posts: 25

Rep: Reputation: 15
IPtables Redirection Exception?


Is there any way to do an exception statement in IPtables for a redirection rule? ex// redirect any port 80 traffic from IP 10.1.1.100 to 10.1.1.2 -unless- it is trying to reach a website at 10.1.1.3.

scenario.. automated script using nessus detects a windows box with high risk patches missing. The script inserts that IP into IPtables saying rediect anything port 80 from this IP to this information web page as well as dropping all other traffic from that IP. On that informative webpage I will explain to them why they have been redirected their and give instructions on going to microsoft windows update. Well, no can do with the rediect statement unless it can allow an exception for windowsupdate related sites.

I believe what I'm asking may exceed the limitations of IPtables but it never hurts to ask.

btw... am i reinventing any known projects with that little scenario?

thx
 
Old 09-15-2004, 03:32 PM   #2
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
I'm far from an iptables expert, but the iptable man pages state that you can specify a ! to negate/exclude source/destination/protocols. i.e. -s !192.168.9.2, !icmp, etc...

See: man iptables
 
Old 09-15-2004, 04:17 PM   #3
reetep
Member
 
Registered: Oct 2003
Location: UK
Distribution: Debian
Posts: 122

Rep: Reputation: 15
I'm rusty on iptables, but perhaps something like

iptables -t nat PREROUTING -s 10.1.1.100 -d ! 10.1.1.3 -j DNAT --to-destination 10.1.1.2:80

might do the trick. I'm not sure if -s and -d work in the prerouting chain, but I think they do, so just try it. man iptables if you want to check.

Note that if your webserver on 10.1.1.2 doesn't run on port 80 you will have to change the above. eg you might have 10.1.1.2:8000. Note also that you DO have to specify a port here, because your client machine may be doing some ftp or something else instead, and if you don't specify the port, it will be left unchanged, meaning your webserver will recieve a request at port 21.

Good luck, reetep.


PS would you be kind enough to share your scripts and/or your page of advice? I would love to be able to make use of them.
 
Old 09-22-2004, 05:47 AM   #4
reetep
Member
 
Registered: Oct 2003
Location: UK
Distribution: Debian
Posts: 122

Rep: Reputation: 15
How'd you get on BorderX? Hope you achieved what you wanted.

I understand if you don't want to share your scripts and or html, because I'm sure you've put a lot of work in. Perhaps it's not your work to share.

But if you are willing, I'd love to be able to make use of them. Would you mind replying to let me know one way or the other? You are perfectly entitled to say "no" !
 
Old 09-22-2004, 09:45 AM   #5
BoarderX
LQ Newbie
 
Registered: Jul 2004
Posts: 25

Original Poster
Rep: Reputation: 15
Well this Its still in a very conceptual stage and Im working alone on it so its pretty narrow minded.. Im not a very good programmer, i do network configurations, but its working well in my testlab so far. Heres what I got... and yes, there are a lot of prerequisits how you have things setup on your system. Plus you have to know how to finetune nessus to only probe for certain things so you dont risk locking peoples computers up. If this gets running smoothly with all the little kinks worked out, it could potentially be unleashed on a 2500+ node network. We'll see how it goes....

Feel free to critisize constructively. I'm sure there is plenty to dish out =)

#!/usr/bin/perl -w

#############################################################
# First open the dhcp messages and create a target file #
# using a list of IPs from the "DHCPACK on xxx.xxx.xxx.xxx" #
# This assumes you have syslog set to doublelog your dhcp #
# msgs to a disposable file, dhcpd.log.tmp. #
#############################################################

`grep DHCPACK /var/log/dhcpd.log.tmp | cut -d' ' -f8 | sort -u >> /usr/local/scripts/nessus-script/targets`;

######################################################
# Launch the nessus client using the target file and #
# create a result file with all the nessus warnings. #
# Option to use the result file create an html page. #
######################################################

`nessus -q -T nbe localhost 1241 admin admin /usr/local/scripts/nessus-script/targets /usr/local/scripts/nessus-script/results.nbe`;

#`nessus -i /usr/local/scripts/nessus-script/results.nbe -o /var/www/html/vulnerable.html`;

##################################################
# Parse through the results file and extract IPs #
# that have "Risk factor : High" vulnerabilities #
# and place them into the file vulnerable #
##################################################

`grep "Risk factor : High" results.nbe | cut -d'|' -f3 | sort -u >> /usr/local/scripts/nessus-script/vulnerable`;

########################################################
# Extract IPs from the Vulnerable file and add them #
# to iptables with the appropriate redirect statements #
########################################################

open (FIREWALL, ">>/etc/sysconfig/rc.firewall");
open (VULNERABLE, "/usr/local/scripts/nessus-script/vulnerable");

$ip=<VULNERABLE>;
if ($ip) {chomp $ip;}
$blocking="0";

### loop this process until $ip is nothing ###
while ($ip) {

### check to see if $ip has already been blocked ###
$blocked=`grep $ip /usr/local/scripts/nessus-script/backup/blocked`;
### If $ip is already blocked get next IP and restart while loop ###
if ($blocked)
{
$ip=<VULNERABLE>;
if ($ip) {chomp $ip;}
}

### Else block it and grab the next $ip before looping again ###
else
{
print FIREWALL "### $ip ###\n";
print FIREWALL "\$IPTABLES -t nat -A PREROUTING -s $ip --proto tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80\n";
print FIREWALL "\$IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport 1:52 -j DROP\n";
print FIREWALL "\$IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport 54:79 -j DROP\n";
print FIREWALL "\$IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport 81:65535 -j DROP\n";
print FIREWALL "#####################\n\n";

$ip=<VULNERABLE>;
if ($ip) {chomp $ip;}
$blocking="yes";
}
}

close (FIREWALL);
close (VULNERABLE);

####################
# Restart Firewall #
####################

`/etc/sysconfig/rc.firewall restart`;

#################
# Store Results #
#################

$date=`date`;
chomp $date;

### Add the nessus results to the hostorical nessus log file ###
open (BACKUP, ">>/usr/local/scripts/nessus-script/backup/results.nbe.old");
print BACKUP "\n########## $date ##########\n\n";
close (BACKUP);
`cat /usr/local/scripts/nessus-script/results.nbe >>/usr/local/scripts/nessus-script/backup/results.nbe.old`;

### If anything was blocked update the blocked file ###
if ($blocking eq "yes")
{
open (BLOCKED, ">>/usr/local/scripts/nessus-script/backup/blocked");
print BLOCKED "\n########## $date ##########\n\n";
close (BLOCKED);
`cat /usr/local/scripts/nessus-script/vulnerable >>/usr/local/scripts/nessus-script/backup/blocked`;
}

################################
# clean up for the next round! #
################################

`cp /dev/null /usr/local/scripts/nessus-script/results.nbe`;
`cp /dev/null /usr/local/scripts/nessus-script/targets`;
`cp /dev/null /usr/local/scripts/nessus-script/vulnerable`;
`cp /dev/null /var/log/dhcpd.log.tmp`;
 
Old 09-22-2004, 10:02 AM   #6
BoarderX
LQ Newbie
 
Registered: Jul 2004
Posts: 25

Original Poster
Rep: Reputation: 15
The !exception statements yall have mentioned should help clean the iptable statements up a lot on the drop statements... hopefully i can get it to still allow traffic to windows update too so a block doesnt have to be removed in order for them to get updates. I want to implement an automated removal process as well... which i already have a few ideas brewing for.. too much nastiness on the nets to dedicate a lot of my time to this project right now.

Anyways I haven't made any mods on the code in a few days. I'm gonna jump back into it this afternoon when work slows down and see what I can do to clean it up a bit more.
 
Old 09-22-2004, 10:51 AM   #7
reetep
Member
 
Registered: Oct 2003
Location: UK
Distribution: Debian
Posts: 122

Rep: Reputation: 15
Quote:
hopefully i can get it to still allow traffic to windows update too so a block doesnt have to be removed in order for them to get updates
If you replace 10.1.1.3 below with the ip address for http://windowsupdate.microsoft.com it will let traffic through to that site only without redirecting it. I don't know how the update process works when you connect - there may be some ports you have to leave open. Maybe you know the answer to this already.

iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.100 -d ! 10.1.1.3 -j DNAT --to-destination 10.1.1.2:80

Quote:
I want to implement an automated removal process as well...
just do for example
Code:
iptables -D FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport 1:52 -j DROP
ie if you type iptables -D followed by a chain and a rule, it will look for that rule and delete it from the specified chain, wherever it may be.
 
Old 09-22-2004, 06:43 PM   #8
BoarderX
LQ Newbie
 
Registered: Jul 2004
Posts: 25

Original Poster
Rep: Reputation: 15
got the redirect statement nailed i believe...

the following statement will redirect any http traffic originating from 192.168.0.150 -unless- it is hitting the class B network 207.46.0.0. That class B network houses microsoft.com's domain.. or atleast a good portion of it. The user is redirected to the information page which explains why they have been blocked and included i link to windows updates which the excpetion rule allows them to go get their patches.

IPTABLES -t nat -A PREROUTING -s 192.168.0.150 -d ! 207.46.0.0/16 --proto tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80

included with that statement are the drop statements to prohibit any other traffic originating from that computer.

## dont drop port 80 traffic or itll kill the redirect statement... but drop all other tcp
IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto tcp --dport ! 80 -j DROP

## dont drop dns or they wont be able to get redirected to begin with... but drop all other udp
IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto udp --dport ! 53 -j DROP

## drop all ICMP
IPTABLES -A FORWARD -s $ip -d 0.0.0.0/0 --proto icmp -j DROP



Still got a long ways to go.. this project might as well go full blown. Ive got a ton of ideas to throw into the mix... nessus for catching vulnerable computers, snort to catch infected computers... and perhaps some tcpdump for similar purposes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
help createing exception class from base STL exception qwijibow Programming 4 04-20-2005 05:23 AM
Help:iptables redirection swmok Linux - Networking 2 11-24-2004 07:47 AM
redirection of ftp using iptables bacon22 Linux - General 1 03-10-2004 05:21 PM
Iptables, Port redirection... and I'm a nimrod finegan Linux - Networking 3 09-14-2003 01:48 PM
Runtime Exception vs. Exception mikeshn Programming 1 09-22-2002 05:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration