Iptables – Using tcpdump with iptables

iptablestcpdump

I use iptables to block different kind of attacks on my server. We have a different set of rules along with different rate-limit rules. Now I also use a script that would observe the threshold if it were greater than 10mb/s and dump all the packets to a file. This script keeps running all the time in a screen session and uses the following command to dump:

tcpdump -nn -s0 -c 2000 -w Attack.cap
sleep 300

Once attacked, it waits 5 minutes to check for another attack (sleep 300). Now I doubt if during the packets capture process, iptables still work because in /var/messages I see lines like "eth0 entered promiscuous mode" and "eth0 left promiscuous mode" so it might over-look iptables?

Best Answer

http://en.wikipedia.org/wiki/Promiscuous_mode

In computer networking, promiscuous mode or promisc mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.

This does not bypass any kind of firewall.

Related Solutions

Iptables and SNAT

Remove the three rules you have above and try adding this:

$IPTABLES -t NAT -A POSTROUTING -s 192.x.y.a -j SNAT 192.x.y.b
$IPTABLES -A FORWARD -s 192.x.y.a -J ACCEPT

And enter the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

You should also have a rule similar to the following in your firewall:

$IPTABLES -t FILTER -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That will take care of all established/related connections, instead of making a rule for each one.

Tcpdump – how to check rate of packets

capinfos is what you are looking for:

$ capinfos ddos.cap
File name:           ddos.cap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 65535 bytes
Number of packets:   1000000
File size:           189073212 bytes
Data size:           173073188 bytes
Capture duration:    2 seconds
Start time:          Fri Jul  5 16:35:04 2013
End time:            Fri Jul  5 16:35:07 2013
Data byte rate:      69839025.27 bytes/sec
Data bit rate:       558712202.18 bits/sec
Average packet size: 173.07 bytes
Average packet rate: 403523.08 packets/sec
SHA1:                34d758e6445061855ca4397729098f469f411fe3
RIPEMD160:           14f430231fc2962cd86ddb8edb8daf75a5d07af8
MD5:                 5893809fb02d1a20997629a9a501842b
Strict time order:   False

Pay attention to the Data bit rate.

What might help here is if someone could edit the original script above instead of capturing 2000 packets and dropping the rest, to capture all packets for a duration of lets say 5 seconds when the threshold hits.

How about this:

tcpdump -n -s0 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap &
sleep 5 && pkill -HUP -f /usr/sbin/tcpdump

Best Answer

Related Solutions

Iptables and SNAT

Tcpdump – how to check rate of packets

Related Topic