[Labrea-users] TR: Labrea Question
Status: Abandoned
Brought to you by:
lorgor
Menu
▾
▴
[Labrea-users] TR: Labrea Question
|
From: Gordon, L. <Lor...@te...> - 2004-07-27 21:16:30
|
-----Message d'origine----- De : lorgor Envoy=E9 : 27 juillet, 2004 17:12 =C0 : 'Mike' Objet : RE: Labrea Question Sorry to be so long in responding. You don't specify but if we're = talking iptables, i imagine it's linux. labrea needs to see a packet coming in the mac address of one of the = virtual IP machines. Just redirecting the packet via iptables won't do it = (IMHO) because you will have the mac of the real machine. labrea ignores these packets. lorgor -----Message d'origine----- De : Mike Envoy=E9 : 27 juillet, 2004 11:30 =C0 : lo...@us... Objet : Labrea Question Lorgor: I posted this to the mailing list but haven't heard anything. Don't = know=20 if you monitor that or not. All addresses are (obviously) notional. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D I must be missing something, but everything I've tried seems to = indicate=20 that this is not possible - redirecting traffic to a tarpit running on = the=20 same machine. Say I have a machine running at 10.10.10.1 with normal mail and web=20 services. I also have Labrea running on the SAME machine, capturing=20 10.10.10..2 through 10.10.10.10. Someone with the IP address 192.168.50.50 starts attacking my website = at=20 10.10.10.1. I would like to have a script detect the attack and issue = the=20 iptables command to redirect this address to the tarpit addresses. = Ideally=20 I would have access to the upstream router to do this redirect before = it=20 even hits the web/tarpit box, but I don't. I assumed I could simply do this by NATing the destination address from = 10.10.10.1 to 10.10.10.2 but it doesn't seem to work. Would this iptables entry go in the INPUT chain or the FORWARD chain? = Is it even possible? /sbin/iptables -t nat -I PREROUTING -s 192.168.50.50 -p tcp -j DNAT=20 --to-destination 10.10.10.2 /sbin/iptables -I INPUT -s 192.168.50.50 -p tcp -j ACCEPT Yes, I know the new version of iptables has a -j TARPIT option, but I = don't=20 have that kernel built. Thanks. Mike |
