-
January 30th, 2004, 12:20 PM
#1
Junior Member
Blocking OUTPUT in iptables
Hello
The thread about beeing undetected in a LAN got me thinking. To cut to the chase; does not ARP requests and eventual broadcasts and such the kernel might do (intending linux here) go through the OUTPUT chain of iptables? And therefore can be blocked with a DROP rule?
I have done some quick research about how to detect if someone in your LAN is having their network interface in promiscous mode, and from what I've understood the way is to fool the OS of that computer to respond to something sent to an unused IP-address. I didn't find a concrete example, but it couldn't be a simple ARP-request that does the trick could it?
Does anyone know how this is achieved (detecting an interface in promiscous mode)?
And the iptables thing, isn't it possible to forbid _all_ eventual packets to leave the computer?
Student in computer science at Chalmers University of technology, Gothenburg Sweden
-
January 30th, 2004, 04:12 PM
#2
IIRC, you could set a default policy of DROP on the output chain to prevent any packets leaving your PC, but this would be so restrictive it would break things like X. It would be far better to leave the output chain alone, and use a rule to drop outgoing packets on a specific interface, like this:-
iptables -A OUTPUT -o eth0 -d 0/0 -j DROP
The -o eth0 is used instead of -i because in this example the output interface is eth0 (packets leaving eth0 for all destinations will be dropped).
-
January 30th, 2004, 04:56 PM
#3
Junior Member
Thanks, but I'm not really after the exact configuration of iptables here (even though it's good to know), more the answer to; if it is possible. I'm not sure that the computer will be undetectable in a lan if you merely block all output on the interface. (Yes of course it's just to follow the cable from the hub/switch but I'm interested in iptables here ) Are all packets transported via the ip-tables chains in linux? Are there absolutly none that the kernel sends anyway (really low level stuff) or can be tricked into sending? If so; would it be possible for anyone to put up a linux box running a sniffer for example ethereal and by blocking all output with iptables be undetectable by the other connected computers?
Student in computer science at Chalmers University of technology, Gothenburg Sweden
-
January 30th, 2004, 05:04 PM
#4
Member
you can also search about what u looking for at google....
peace out
-
January 30th, 2004, 05:21 PM
#5
Junior Member
Yes of course; And I've done so. But I couldn't really find anything that gave me the info I wanted.
It's hard to prove that anything is secure at all; so I check here if someone has any knowledge that it is not secure more or less (which is way more easy to prove, or in fact the only of the two that even is provable at all).
Later on within a few months (when I have time) I will try it in my Lab-network at home, but it's nice to have a theory to start with and try out or else I might miss some testing that would give interesting results.
Student in computer science at Chalmers University of technology, Gothenburg Sweden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|