[DShield] RESEND: OT?: Sleight of hand w/Netfilter and LaBrea

Ed Truitt ed.truitt at etee2k.net
Fri Jun 14 19:53:54 GMT 2002

Hash: SHA1

I think the original copy of this, sent yesterday, may have gotten
lost in the DNS changes.  Anyway, I am resending - if it is a
duplicate, you can disregard.

Hi all - 

I am working on a little experiment, at the request of another list
member.  I have a small (/28) network of real IPs behind a DSL
router.  On this network, I am running 2 Linux boxes, both with
Netfilter/IPTABLES.  On one of the boxes, I am running LaBrea, and
tarpitting the unused IPs.

What I want to do is this:  set up Netfilter on the second box to
take all inbound traffic bound for that box on a specific port (1433,
for example) and "redirect" it to one of the IPs being tarpitted by
LaBrea.  The idea is to use the firewall as a feeder to LaBrea, so
instead of simply DROPping the undesired traffic you shunt it off to
the pit, where the attacker is slowed down (and your LaBrea stats are
boosted 8^).

The only problem is:  I don't do NAT.  All of my hosts are on real
IPs, and the home network is flat (I link simple, I am not a
network-centric type, and I use Netfilter & Friends to keep the
machines as safe as possible.)  I also don't do any filtering at the
router - it is a Cisco 678, and the ISP said (and my experience
confirms) that the filtering capabilities of that router are, let us
say, really primitive.

The command I came up with, that seems to work, is the following:

iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xx
- - --dport 1433 -j DNAT --to-destination xxx.xxx.xxx.yy

I have noticed that LaBrea is beginning to pick up some additional
threads from SQL worms, and the number of scans to that system is way
down.  The question is, is this all I need to do?  I read a book on
Netfilter, and it appears that it is enough - just wanted to run it
by the list to see if I missed anything.

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP. 
 Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense."

Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>


More information about the list mailing list