Network:
-----ppp0 modem-- [Linux router]eth0------[Honneypot]---
192.168.1.2 192.168.1.56
i have 2 rules in iptables
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING --in-interface ppp0 --protocol tcp
--destination-port ! ssh --jump DNAT --to-destination 192.168.1.5
I usaly use the linux router to work and the honneypot to fun & profit.
i always exeute tcpdump -i eth0 -s 9000 -w LOGFILE on the router
machine.
The last day when im making a revision of the log , i discover that in
the log i could raead a "response" of an http request that i do from
router linux ( i make a the request to external site over ppp
connection).
|---|
unfornatly i only have the snoop of the ppp0 interface.
80.34.69.xxx = external server
1) i make http request to 80.34.69.xxx server
2) i read the web contents correctly
3) aparently the kernel forward the response to 192.168.1.56 (honeypot)
#tcpdump -r JAULA6 -n 'tcp port 80 && host 80.34.69.xxx'
03:28:03.303637 80.34.69.xxx.80 > 192.168.1.56.33352: .
3888813151:3888814599(1448) ack 2877177511 win 6710 <nop,nop,timestamp
110497018 7927497> (DF)
03:28:03.304382 192.168.1.56.33352 > 80.34.69.xxx.80: R
2877177511:2877177511(0) win 0
#tcpdump -r JAULA6 -n 'tcp port 3000 && host 80.34.69.xxx'
03:17:04.803886 80.34.69.xxx.3000 > 192.168.1.56.33329: P
3209289308:3209289324(16) ack 2224478666 win 6720 <nop,nop,timestamp
110431569 7862787> (DF)
03:17:04.804585 192.168.1.56.33329 > 80.34.69.xxx.3000: R
2224478666:2224478666(0) win 0
In the 2 case the honneypot respond with rst because he dont start the
conexion.
This happend rarely only 2 times in 1 day :|
Bye!
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/