History

Setting up iptables for mwcollectd¶

mwcollectd uses NFQUEUE to accept connections on arbitrary ports. It uses a method first proposed by Tillmann Werner in honeytrap: an incoming SYN is catched via a raw sniffer and if the port is not open yet, it is opened first. To support incoming connection attempts the first time, mwcollectd hooks into NFQUEUE and freezes the SYN until the socket is open.

A simple NFQUEUE rule might look like this:

iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK,FIN SYN -j NFQUEUE

If you want to only have mwcollectd use one specific IP address, use:

iptables -A INPUT -d $IP -p tcp --tcp-flags SYN,RST,ACK,FIN SYN -j NFQUEUE

And in case you are running multiple NFQUEUE using services on the same box, add a unique queue number (and configure it in dynserv-nfqueue.conf accordingly):

iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK,FIN SYN -j NFQUEUE --queue-num $QUEUE

Also available in: HTML TXT

mwcollectd

Wiki

Setting up iptables for mwcollectd¶