P3Scan - Routing Examples

P3Scan is currently running on a couple of Home Networks with broadband access to the internet using a Linux box as the firewall/router.
It is helping to protect networks other than Linux. :)

One Linux box was purchased from a Pawn-Shop for US$200 and is an AMD K6-2-500. It is also running on a Packard Bell Multimedia - Cyrix M-II 300.

They have been hardened and are running a statefull inspection firewall.

One of them is also running Web and Content filtering proxies to include DansGuardian Anti-Virus plugin to help intercept virus's attached to Web Mail.

All the programs are running in transparent mode so the LAN Clients do not even know it exists unless some problem is found and they are notified.

Useful sites for building such an environment:

Slackware Tips & Tricks by Jack S. Lai
Squid Web Proxy Cache
DansGuardian Web Content Filter
DansGuardian Anti-Virus Plugin
Clam Anti-Virus
FRISK F-Prot Anti-Virus

Here is a tip from Douglas Bostrom:

Here's how to make p3scan work on a standalone box with traffic transparently handed over to it by a firewall box using iproute2 and iptables:

On the firewall we have iproute2 setup:

echo 201 pop.proxy >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table pop.proxy
ip route add default via pop.proxy.box dev eth2 table pop.proxy

along with iptables:

iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 110 -j MARK --set-mark 1

With this arrangement, sure enough pop packets are routed to pop.proxy.box.

Now on pop.proxy.box we arrange a redirect:

iptables -t nat -A PREROUTING -p tcp --dport 110 -j REDIRECT --to 8110

Where "pop.proxy.box" is the address of the box running p3scan. In the ip route line, "eth2" happens to be what I needed of the 4 interfaces on the firewall box in question; use the appropriate port for the target setup.

And here are some iptables rules when p3scan is running on the firewall box and 'eth0' is your internet interface:

echo "Enable transparent SMTP scanning..."
iptables -t nat -I PREROUTING ! -i eth0 -p tcp -s 192.168.1.0/24 --dport 25 -j REDIRECT --to-ports 8110
echo "Enable transparent POP3 scanning..."
iptables -t nat -I PREROUTING ! -i eth0 -p tcp -s 192.168.1.0/24 --dport 110 -j REDIRECT --to-ports 8110
echo "Enable transparent POP3S scanning..."
iptables -t nat -I PREROUTING ! -i eth0 -p tcp -s 192.168.1.0/24 --dport 995 -j REDIRECT --to-ports 8110
echo "Enable transparent IMAP scanning..."
iptables -t nat -I PREROUTING ! -i eth0 -p tcp -s 192.168.1.0/24 --dport 143 -j REDIRECT --to-ports 8110

(IMAP scannining is not available in the stable branch yet...)

Another example:

echo -n "Inserting p3scan redirect rule into nat PREROUTING chain..."
iptables -t nat -I PREROUTING -p tcp -i eth0 --dport pop3 -j REDIRECT --to 8110 2> /dev/null
echo "done."
echo -n "Inserting p3scan reditect rule into nat OUTPUT chain..."
iptables -t nat -I OUTPUT -p tcp --dport pop3 -j REDIRECT --to 8110 2> /dev/null
echo "done."
echo -n "Inserting p3scan accept rule into nat OUTPUT chain..."
iptables -t nat -I OUTPUT -p tcp --dport pop3 -m owner --uid-owner mail -j ACCEPT 2> /dev/null
echo "done."

Home