背景
笔者写的蜜罐的agent底层依赖iptables,在设置高交互蜜罐的端口转发规则时会用到iptables的multiport --dports指令,但是超过--dports超过15个的话,会报too many ports specified错误:
iptables -A INPUT -p tcp -m multiport --dports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 iptables -A INPUT -p tcp -m multiport --dports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 iptables v1.4.21: too many ports specified Try `iptables -h' or 'iptables --help' for more information.
关于蜜罐与攻击欺骗防御系统的设计与实现,可以参考笔者之前写过的文章。
解决方案
投石问路
蜜罐的规则在运营过程是肯定会超过15个,不可能为了规避iptables的这个特性就缩小规则列表。 IPTABLES报这个错误的根本原因是iptables的源码中include/linux/netfilter/xt_multiport.h的宏XT_MULTI_PORTS指定了参数个数为15个,如下所示:
#ifndef _XT_MULTIPORT_H#define _XT_MULTIPORT_H#include <linux/types.h>cenum xt_multiport_flags {
XT_MULTIPORT_SOURCE,
XT_MULTIPORT_DESTINATION,
XT_MULTIPORT_EITHER};#define XT_MULTI_PORTS 15很傻很天真的我最初认为把这个将XT_MULTI_PORTS的值改大重新编译iptables就可以了,事实证明我还是太年青了。等编译完后一执行又报错了,提示让看dmesg,发现如下错误:
[ 1379.325905] x_tables: ip_tables: multiport.1 match: invalid size 48 (kernel) != (user) 456[ 1650.126296] x_tables: ip_tables: multiport.1 match: invalid size 48 (kernel) != (user) 304
以上2条LOG分别是将XT_MULTI_PORTS改为150和100产生的。为什么捏?
通过观察include/linux/netfilter/xt_multiport.h的代码片断,确定为正好是以下struct中XT_MULTI_PORTS分别为150和100的size。
struct xt_multiport_v1 {
__u8 flags; /* Type of comparison */
__u8 count; /* Number of ports */
__u16 ports[XT_MULTI_PORTS]; /* Ports */
__u8 pflags[XT_MULTI_PORTS]; /* Port flags */
__u8 invert; /* Invert flag */};这个时候我才恍然大悟,本来iptables就是netfilter的用户接口,最终的操作结果是传到内核级模块netfilter中的,还需要修内核中netfilter模块相对应的代码部分,经确定在以下文件中include/uapi/linux/netfilter/xt_multiport.h,修改完还要重新编译内核。这个方案比较麻烦,先PASS了,还是在agent中实现吧。
柳暗花明
如果一条策略中的端口超过了15个,那我们将策略分成多条即可。先写一个端口数量分割的工具函数:
func SplitWhitePorts(ports []string) (map[int][]string) {
result := make(map[int][]string)
total := len(ports)
batch := 0
if total%15 == 0 {
batch = total / 15
for i := 0; i < batch; i++ {
result[i] = ports[i*15 : (i+1)*15]
}
} else {
batch = total / 15
for i := 0; i < batch; i++ {
result[i] = ports[i*15 : (i+1)*15]
}
result[batch] = ports[batch*15 : total]
}
return result}测试结果满足预期:
[ `go run csrf.go` | done: 561.973248ms ] map[0:[1 2 3 4 5 6]] map[0:[1 2 3 4 5 6 7 8 9 10 11 12 13 14 15]] map[0:[1 2 3 4 5 6 7 8 9 10 11 12 13 14 15] 1:[16 17 18 19 20]]
然后在刷新策略部分应用之:
if strings.ToLower(mode) == "honeypot" {
whiteIpPolicy := vars.HoneypotPolicy.WhiteIp
// set white policy
for _, whiteIp := range whiteIpPolicy {
logger.Log.Println("/sbin/iptables", "-t", "filter", "-A", "WHITELIST", "-i", setting.Interface, "-s", whiteIp, "-j", "DROP")
exec.Command("/sbin/iptables", "-t", "filter", "-A", "WHITELIST", "-i", setting.Interface, "-s",
whiteIp, "-j", "DROP").Output()
}
for _, ports := range util.SplitWhitePorts(vars.HoneypotPolicy.WhitePort) {
logger.Log.Println("/sbin/iptables", "-t", "nat", "-A", "HONEYPOT", "-i", setting.Interface,
"-p", "tcp", "-m", "multiport", "!", "--dports", strings.Join(ports, ","),
"-j", "DNAT", "--to-destination", vars.HoneypotPolicy.Backend)
ret, err := exec.Command("/sbin/iptables", "-t", "nat", "-A", "HONEYPOT", "-i", setting.Interface,
"-p", "tcp", "-m", "multiport", "!", "--dports", strings.Join(ports, ","), "-j",
"DNAT", "--to-destination", vars.HoneypotPolicy.Backend).Output()
logger.Log.Println(ret, err)
}
}
