From edfd5eaa5baeab3abdd1998cf31f38e0ff9c213f Mon Sep 17 00:00:00 2001
From: Marco Ochse <t3chn0m4g3@gmail.com>
Date: Mon, 16 Apr 2018 12:39:46 +0000
Subject: [PATCH] tweaking glutton, automatic iptables rules

---
 bin/rules.sh                      | 68 ++++++++++++++++++++++---------
 docker/glutton/Dockerfile         |  2 +-
 docker/glutton/dist/rules.yaml    |  4 +-
 docker/glutton/docker-compose.yml |  8 ++--
 docker/glutton/notes              | 50 -----------------------
 5 files changed, 56 insertions(+), 76 deletions(-)
 delete mode 100644 docker/glutton/notes

diff --git a/bin/rules.sh b/bin/rules.sh
index 2d20a955..0bdb6cda 100755
--- a/bin/rules.sh
+++ b/bin/rules.sh
@@ -20,13 +20,13 @@ fi
 function fuNFQCHECK {
 ### Check if honeytrap or glutton is actively enabled in docker-compose.yml
 	
-myNFQCHECK=$(grep -e '^\s*honeytrap:\|^\s*glutton:' $myDOCKERCOMPOSEYML | tr -d ': ' | wc -l)
-if [ "$myNFQCHECK" == "0" ];
+myNFQCHECK=$(grep -e '^\s*honeytrap:\|^\s*glutton:' $myDOCKERCOMPOSEYML | tr -d ': ' | uniq)
+if [ "$myNFQCHECK" == "" ];
   then
-    echo "No NFQ related honeypot detected, no firewall rules needed. Exiting."
+    echo "No NFQ related honeypot detected, no iptables rules needed. Exiting."
     exit
   else
-    echo "Detected at least one NFQ based honeypot, firewall rules needed. Continuing."
+    echo "Detected $myNFQCHECK as NFQ based honeypot, iptables rules needed. Continuing."
 fi
 }
 
@@ -36,32 +36,62 @@ function fuGETPORTS {
 myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' )
 myDOCKERCOMPOSEPORTS+=" $myHOSTPORTS"
 myRULESPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo $i; done | sort -gu)
+echo "Setting up / removing these ports:"
+echo "$myRULESPORTS"
 }
 
 function fuSETRULES {
-### Setting up iptables rules
+### Setting up iptables rules for honeytrap
+if [ "$myNFQCHECK" == "honeytrap" ];
+  then
+    /sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
+    /sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
 
-/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
-/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
-
-for myPORT in $myRULESPORTS; do
-  /sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
-done
+    for myPORT in $myRULESPORTS; do
+      /sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
+    done
   
-/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+    /sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+fi
+
+### Setting up iptables rules for glutton
+if [ "$myNFQCHECK" == "glutton" ];
+  then
+    /sbin/iptables -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT
+    /sbin/iptables -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT
+
+    for myPORT in $myRULESPORTS; do
+      /sbin/iptables -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
+    done
+    # No need for NFQ forwarding, such rules are set up by glutton
+fi
 }
 
 function fuUNSETRULES {
-### Removing iptables rules
+### Removing  iptables rules for honeytrap
+if [ "$myNFQCHECK" == "honeytrap" ];
+  then
+    /sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
+    /sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
 
-/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
-/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
+    for myPORT in $myRULESPORTS; do
+      /sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
+    done
 
-for myPORT in $myRULESPORTS; do
-  /sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
-done
+    /sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+fi
 
-/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+### Removing iptables rules for glutton
+if [ "$myNFQCHECK" == "glutton" ];
+  then
+    /sbin/iptables -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT
+    /sbin/iptables -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT
+
+    for myPORT in $myRULESPORTS; do
+      /sbin/iptables -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
+    done
+    # No need for removing NFQ forwarding, such rules are removed by glutton
+fi
 }
 
 # Main
diff --git a/docker/glutton/Dockerfile b/docker/glutton/Dockerfile
index e01809a8..49218ca3 100644
--- a/docker/glutton/Dockerfile
+++ b/docker/glutton/Dockerfile
@@ -45,4 +45,4 @@ RUN apk -U --no-cache add bash \
 
 # Run supervisor upon container start
 WORKDIR /opt/glutton
-CMD bin/server -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) -l /var/log/glutton/glutton.log -d true
+CMD exec bin/server -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) -l /var/log/glutton/glutton.log -d true
diff --git a/docker/glutton/dist/rules.yaml b/docker/glutton/dist/rules.yaml
index b2cad527..54e03f58 100644
--- a/docker/glutton/dist/rules.yaml
+++ b/docker/glutton/dist/rules.yaml
@@ -1,5 +1,5 @@
 rules:
-  - match: tcp dst port 64295
+  - match: tcp dst port 5001
     type: passthrough
     name: ssh
   - match: tcp dst port 22 or port 2222
@@ -35,4 +35,4 @@ rules:
     type: conn_handler
     target: default
   - match: udp
-    type: drop
+    type: drop
\ No newline at end of file
diff --git a/docker/glutton/docker-compose.yml b/docker/glutton/docker-compose.yml
index c403eae8..1b260dc4 100644
--- a/docker/glutton/docker-compose.yml
+++ b/docker/glutton/docker-compose.yml
@@ -1,9 +1,6 @@
 # For docker-compose ...
 version: '2.2'
 
-networks:
-  glutton_local:
-
 services:
 
 # glutton service
@@ -13,9 +10,12 @@ services:
     network_mode: "host"
     #networks:
     # - glutton_local
+    #ports:
+    # - "5000:5000"
+    # - "22:5000"
     cap_add:
      - NET_ADMIN
     image: "dtagdevsec/glutton:1804"
     volumes:
      - /data/glutton/log:/var/log/glutton
-
+     - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml
diff --git a/docker/glutton/notes b/docker/glutton/notes
deleted file mode 100644
index 110b0786..00000000
--- a/docker/glutton/notes
+++ /dev/null
@@ -1,50 +0,0 @@
-1  apk add golang
-    2  apk add go
-    3  apk -U --no-cache add bash                           build-base                           git                           go                           g++                           iptables-dev                           libnetfilter_queue-dev                           libpcap-dev                           procps
-    4  ls
-    5  go get github.com/mushorg/glutton
-    6  go get -d github.com/mushorg/glutton
-    7  ls
-    8  cd $GOPATH
-    9  ls
-   10  cd go/
-   11  ls
-   12  cd src/github.com/mushorg/glutton/
-   13  ls
-   14  go get -u github.com/golang/dep/cmd/dep
-   15  dep
-   16  find / -name dep
-   17  pwd
-   18  cd ..
-   19  ls
-   20  cd ..
-   21  ls
-   22  cd ..
-   23  ls
-   24  cd golang.org/
-   25  ls
-   26  cd x/
-   27  ls
-   28  cd ..
-   29  ls
-   30  cd ..
-   31  ls
-   32  cd ..
-   33  ls
-   34  cd bin
-   35  ls
-   36  dep ensure
-   37  ./dep ensure
-   38  cd ..
-   39  ls
-   40  cd ..
-   41  ls
-   42  cd ..
-   43  ls
-   44  cd root/go/src/github.com/mushorg/glutton/
-   45  which dep
-   46  /root/go/bin/dep ensure
-   47  make build
-   48  bin/server
-   49  history
-