Logging communication between two VMs

2

2

I'm trying to set up "malware lab" described in this paper.
So far, I've set up Windows guest system, adding one Host-only Network adapter, and setting this (sorry if the names aren't exactely correct, I don't have an english language version):

    - IP Address - 10.0.0.3
    - Subnet mask - 255.255.255.0
    - Default gateway - not set
    - Preferred DNS - 10.0.0.4
    - Alternate DNS - not set

And a Linux guest system - Ubuntu 9.04 - with two Network adapters - Bridged (eth0) and Host-only (eth1), and setting eth1 IP Address to 10.0.0.4, leaving the eth0 to be set by DHCP. Then, I have configured iptables as described in the paper, ie.: 

iptables -F -t nat  
iptables -F -t mangle  
iptables -t mangle -P PREROUTING ACCEPT  
iptables -t mangle -P OUTPUT ACCEPT  
iptables -t nat -P PREROUTING ACCEPT  
iptables -t nat -P POSTROUTING ACCEPT  
iptables -t nat -P OUTPUT ACCEPT  
iptables -t mangle -A PREROUTING -i eth0 -j ACCEPT  
iptables -t mangle -A PREROUTING -p udp -i eth1 -d 10.0.0.3 --dport 53 -j ACCEPT  
iptables -t mangle -A PREROUTING -p tcp -i eth1 --dport 80 -j ACCEPT  
iptables -t mangle -A PREROUTING -p tcp -i eth1 -d 10.0.0.3 --dport 6000:7000 -j ACCEPT  
iptables -t mangle -A PREROUTING -i eth1 -j ULOG  
iptables -t mangle -A PREROUTING -i eth1 -j DROP

Now, when I try to ping the windows system from within the Linux system, it does not reply, I guess thats perfectly normal, because iptables is blocking ping responce. Same when I try to ping the Linux system from within the Windows. But when I try to access any web page from within the Windows system, I would expect that this action should get logged by iptables. But thing is, I don't see any of that kind of lines in log file (If I am looking in the right place, that is. :) It is at /var/log/messages, isn't it?). So, what do you think might be the problem here?

I should note, that this is the first time I'm using linux, so don't expect ANY working knowledge of Linux at all... :) Also, since english is not my mother tongue, feel free to point out any gramatical mistakes... :)

Thanks for any advice.

sYnfo

Posted 2009-09-01T13:52:31.593

Reputation: 1 902

Answers

2

The link to your document is broken, but it sounds like you're trying to set up the Linux system as a router between the Windows VM and the outside world.

According to your explanation, you haven't set a default gateway on the Windows machine. Therefore, it does not know that to get to the Internet it's supposed to go through the Linux machine. You can confirm this by trying to ping 8.8.8.8 from the Windows VM; if you get a reply, your gateway is set up properly. If you don't get a reply, try setting the default gateway on the Windows machine to 10.0.0.4 and trying again.

Stephen Jennings

Posted 2009-09-01T13:52:31.593

Reputation: 21 788

Hah, I love being tricked into answering nearly year-old questions. – Stephen Jennings – 2010-06-09T14:43:39.187

1

If I remember correctly the default log level for iptables, if not specified, is 7 (debug) so check /etc/syslog.conf to find where debug messages are sent. I would guess /var/log/debug.

user6889

Posted 2009-09-01T13:52:31.593

Reputation:

I'll look into that once I have free time. But I'm quite sure, that there is nothing regarding iptables in my /etc/syslog.conf, nor /log/debug. Anyway, thanks for your comment. – sYnfo – 2009-10-12T12:03:22.843

Asked: 2009-09-01T13:52:31.593

Viewed: 298 times

Active: 2016-07-19T13:00:47.487