Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?

• Previous message: Ayaz Ahmed Khan: "PAKCON II: Call for Papers (CfP - 2005)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 18 Apr 2005 18:50:42 -0700 (PDT)
To: "Joo" Paulo Caldas Campello <protecao@gmail.com>, "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>

Use NetSED:

http://www.mirrors.wiretapped.net/security/packet-construction/netsed/netsed-README.txt

--- Joćo Paulo Caldas Campello <protecao@gmail.com>
wrote:
> On 4/14/05, Valdis.Kletnieks@vt.edu
> <Valdis.Kletnieks@vt.edu> wrote:
>
> > Currently, iptables doesn't seem to support that,
> probably to keep you from
> > shooting yourself in the foot. Consider for
> example how fast the kernel will
> > fold up if you change that first nybble of the
> packet from an x'4' to an x'6'
> > without changing the rest of the packet to match.
> Suddenly, that sk_buff is
> > a lot too short.. ;)
>
> Yeah, maybe, who knows :P
>
> Well, I've did some searching last days and found a
> couple ways to
> achieve what I've described in my email.
>
> One is using "DIVERT sockets" and other is the use
> of the "-j QUEUE"
> target of iptables/netfilter. Both approaches are
> similar: you match a
> packet using iptables to flush them to userspace,
> where you can mangle
> the entire packet as you like and send it back to
> iptables, who will
> put it again onto the stack.
>
> The "-j QUEUE" approach is manipulated through the
> "libipq" API:
>
> - netfilter can feed userspace using IPQUEUE:
> *
> http://www.crhc.uiuc.edu/~grier/projects/libipq.html
>
> - Perl:
> * http://www.intercode.com.au/jmorris/perlipq/
>
> - Python:
> * http://woozle.org/~neale/src/ipqueue/
>
> As you can see, there's already libraries written in
> Perl and Python
> to query IPQUEUE, so the effort of writing userspace
> code to deal with
> IP packets wiil be much more easier.
>
> That's it =)
>
> Cheers,
>
> Joćo Paulo.
>

• Previous message: Ayaz Ahmed Khan: "PAKCON II: Call for Papers (CfP - 2005)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Doubts with iptables (or ipchains) ... With iptables use the state module. ... > done with ipchains (using some alternative ... > of the connection would protect my LAN? ... Why would 'a packet' be 52 bytes? ... (comp.os.linux.security) iptables: state & forward confusion ... $iptables -F -t mangle ... # set a default policy to allow established & related ... packet forwarded to eth1 or eth2...accept those that are explicitly ... forwarded say for outbound web requests and returning responses? ... (comp.os.linux.security) iptables: state & forward confusion ... $iptables -F -t mangle ... # set a default policy to allow established & related ... packet forwarded to eth1 or eth2...accept those that are explicitly ... forwarded say for outbound web requests and returning responses? ... (comp.os.linux.security) Re: iptables: blocking network access for certain UIDs gives error. ... > you're familiar with iptables. ... > rule will match something using the owner module, ... > "stealthing" is a complete waste of time, I wouldn't DROP the packet ... (Fedora) Re: iptables udp and output ... So, here's the ruleset, re-ordered to provide a clearer view to ... you drop all fragments past the first one of each fragmented packet. ... This is the typical problem to making too selective matches in iptables ... the host and port that were marked as destination in the outgoing UDP packet). ... (comp.os.linux.security)