?
Solved

How to intercept packets under Linux

Posted on 2008-11-13
12
Medium Priority
?
1,208 Views
Last Modified: 2012-05-05
Hey guys,

So here's the deal. I'm writing a basic proxy program, and I want it to work with no client side configuration. The proxy will run on a GNU/Linux machine, which acts as a gateway for my LAN.

The nix machine is currently forwarding packets -- I've set /proc/sys/net/ipv4/ip_forward to 1

Now I want to be able to intercept this traffic -- i.e all traffic gets sent to my proxy application, and the proxy will choose whether or not to forward to packets to the destination.

I've got a basic knowledge of iptables, and I've thought of using iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination <ip-of-nix-box>, however I believe this will cause me to loose either the source or destination address of the packet.

Perhaps a user-space forwarding application like fragrouter could do this? Could it be done with tcpdump and tcpreplay?

I really don't know, so I thought I'd ask you guys: what is the best way of going about intercepting packets under linux?

Cheers!
0
Comment
Question by:da_mango_bros
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 13

Expert Comment

by:MicheleMarcon
ID: 22948699
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22948721
Wireshark is for spying on packets as they pass through.

Is this what you are trying to do or are you trying to write your own proxy from the ground up ?
(if so you might want to look at the MANY existing ones)
0
 

Author Comment

by:da_mango_bros
ID: 22949029
Yes, I'm familiar with wireshark. I need to *intercept* the packets, not just monitor them.

I am primarily doing this as an experiment in tcp injection -- i.e. I'll be able to insert/modify data inside tcp (or udp for that matter) packets, patch up the sequence number and anything else necessary, forward my modified packet and drop the original.

If there is an existing proxy (that's open source and runs on linux) then I'd be more than happy to use that. If not, I've had some experience programming with raw sockets so I'll be capable of writing my own.

The main problem is, how to allow my user-space application to intercept packets. It needs to see both the source and destination address.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:da_mango_bros
ID: 22949047
** edit: if there is an existing proxy __that supports packet injection__, i'd be happy to use that
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22949657
You would probably need root level access to extract that sort of info from the drivers / packets (example wireshark need root access)

I'm pretty sure no proxy has this sort of feature built in

But rather than writing one from scratch wouldn't it be better to use something like squid and add an extra bit to examine the packets.  It already does stateful packet inspection so this should be reasonably easy to bolt on.
0
 

Author Comment

by:da_mango_bros
ID: 22950435
Root access is fine, but I still want my application to run in user-space if possible (don't want to mess with the network drivers, and don't think it's necessary).

It might be possible to modify squid, but I think it's over-complicating the problem. I don't need a full blown proxy. And doesn't squid require client side configuration? I need to do without that. Just raw forwarding of packets...

Essentially the entire problem is that I need to emulate what /proc/sys/net/ipv4/ip_forward does. Now I know of userland applications (e.g. fragrouter) that are capable of this -- can you tell me how they work?

Specifically how they solve the problem of intercepting the packet without loosing the source or destination address?
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22952605
Squid can be configured to work transparently - so effectively no client configuration is required (other than the squid box being on the same device as the gateway for the network....

it might be worth setting up squid in transparent mode and using tcpdump to see what actually happens to packets that are proxied....although I suspect your right in the sense that the source data in the packet gets overwritten!

I'm not a developer, im a network guy, and not really delved into the innards of proxying, but just thought I'd comment.
0
 

Author Comment

by:da_mango_bros
ID: 22956502
I've just realized that I am doing the exact same thing that a NAT router does.

I can enable NAT using iptables, but that's no help because I need to process the packets. But it should be possible for a NAT server to run in userspace.

I can't remember much about it, so I'm going to read up on how NAT works and see if I can use that approach to solve my problem.
0
 

Author Comment

by:da_mango_bros
ID: 22960488
Think I've solved it. When looking at how people configure squid to run transparently, I noticed people use

the iptables dnat option "--to-port" instead of "--to-destination" that I was using. I suspect this will allow my application to get the packets with both the source and destination address intact.

I haven't tested this yet. Will let you guys know how it goes.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22960601
Let us know - I'm intrigued now :)
0
 

Accepted Solution

by:
da_mango_bros earned 0 total points
ID: 22966358
Well this certainly is strange. It appears to be working both ways.

I can redirect to the local machine: iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.5

Or I can redirect to a port (on the local machine): iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 5555

Now BOTH times, I can intercept the packet. I.e. for the first time, I listen on port 80, second time I listen on port 5555. Then I fire up a web browser on my laptop, and I intercept the http get on my listener.

At the same time, I've got wireshark open, and in both cases I'm seeing intact source and destination addresses.

Not quite sure what the deal is with this, but whatever the case, I now think I should be right to tcp injection working once I get some more free time.

Not sure what to do with the points for this one... Roachy you did help me out by mentioning that squid can be run transparently -- from that I was able to google and find out how it worked. But I did have to do all the research. I'm thinking half points go to you, and half points go back to me. Deal?
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22970325
Sold..... :) My comment was speculative as I was just hoping to open up a possible train of thought to you as I lacked the programming skills to give any further input..... I was just giving a "this could be possible".  In any case - glad you resolved the issue.  I've learned something here today :)
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question