How to intercept packets under Linux

Hey guys,

So here's the deal. I'm writing a basic proxy program, and I want it to work with no client side configuration. The proxy will run on a GNU/Linux machine, which acts as a gateway for my LAN.

The nix machine is currently forwarding packets -- I've set /proc/sys/net/ipv4/ip_forward to 1

Now I want to be able to intercept this traffic -- i.e all traffic gets sent to my proxy application, and the proxy will choose whether or not to forward to packets to the destination.

I've got a basic knowledge of iptables, and I've thought of using iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination <ip-of-nix-box>, however I believe this will cause me to loose either the source or destination address of the packet.

Perhaps a user-space forwarding application like fragrouter could do this? Could it be done with tcpdump and tcpreplay?

I really don't know, so I thought I'd ask you guys: what is the best way of going about intercepting packets under linux?

Cheers!
da_mango_brosAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MicheleMarconCommented:
0
edster9999Commented:
Wireshark is for spying on packets as they pass through.

Is this what you are trying to do or are you trying to write your own proxy from the ground up ?
(if so you might want to look at the MANY existing ones)
0
da_mango_brosAuthor Commented:
Yes, I'm familiar with wireshark. I need to *intercept* the packets, not just monitor them.

I am primarily doing this as an experiment in tcp injection -- i.e. I'll be able to insert/modify data inside tcp (or udp for that matter) packets, patch up the sequence number and anything else necessary, forward my modified packet and drop the original.

If there is an existing proxy (that's open source and runs on linux) then I'd be more than happy to use that. If not, I've had some experience programming with raw sockets so I'll be capable of writing my own.

The main problem is, how to allow my user-space application to intercept packets. It needs to see both the source and destination address.
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

da_mango_brosAuthor Commented:
** edit: if there is an existing proxy __that supports packet injection__, i'd be happy to use that
0
edster9999Commented:
You would probably need root level access to extract that sort of info from the drivers / packets (example wireshark need root access)

I'm pretty sure no proxy has this sort of feature built in

But rather than writing one from scratch wouldn't it be better to use something like squid and add an extra bit to examine the packets.  It already does stateful packet inspection so this should be reasonably easy to bolt on.
0
da_mango_brosAuthor Commented:
Root access is fine, but I still want my application to run in user-space if possible (don't want to mess with the network drivers, and don't think it's necessary).

It might be possible to modify squid, but I think it's over-complicating the problem. I don't need a full blown proxy. And doesn't squid require client side configuration? I need to do without that. Just raw forwarding of packets...

Essentially the entire problem is that I need to emulate what /proc/sys/net/ipv4/ip_forward does. Now I know of userland applications (e.g. fragrouter) that are capable of this -- can you tell me how they work?

Specifically how they solve the problem of intercepting the packet without loosing the source or destination address?
0
Roachy1979Commented:
Squid can be configured to work transparently - so effectively no client configuration is required (other than the squid box being on the same device as the gateway for the network....

it might be worth setting up squid in transparent mode and using tcpdump to see what actually happens to packets that are proxied....although I suspect your right in the sense that the source data in the packet gets overwritten!

I'm not a developer, im a network guy, and not really delved into the innards of proxying, but just thought I'd comment.
0
da_mango_brosAuthor Commented:
I've just realized that I am doing the exact same thing that a NAT router does.

I can enable NAT using iptables, but that's no help because I need to process the packets. But it should be possible for a NAT server to run in userspace.

I can't remember much about it, so I'm going to read up on how NAT works and see if I can use that approach to solve my problem.
0
da_mango_brosAuthor Commented:
Think I've solved it. When looking at how people configure squid to run transparently, I noticed people use

the iptables dnat option "--to-port" instead of "--to-destination" that I was using. I suspect this will allow my application to get the packets with both the source and destination address intact.

I haven't tested this yet. Will let you guys know how it goes.
0
Roachy1979Commented:
Let us know - I'm intrigued now :)
0
da_mango_brosAuthor Commented:
Well this certainly is strange. It appears to be working both ways.

I can redirect to the local machine: iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.5

Or I can redirect to a port (on the local machine): iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 5555

Now BOTH times, I can intercept the packet. I.e. for the first time, I listen on port 80, second time I listen on port 5555. Then I fire up a web browser on my laptop, and I intercept the http get on my listener.

At the same time, I've got wireshark open, and in both cases I'm seeing intact source and destination addresses.

Not quite sure what the deal is with this, but whatever the case, I now think I should be right to tcp injection working once I get some more free time.

Not sure what to do with the points for this one... Roachy you did help me out by mentioning that squid can be run transparently -- from that I was able to google and find out how it worked. But I did have to do all the research. I'm thinking half points go to you, and half points go back to me. Deal?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Roachy1979Commented:
Sold..... :) My comment was speculative as I was just hoping to open up a possible train of thought to you as I lacked the programming skills to give any further input..... I was just giving a "this could be possible".  In any case - glad you resolved the issue.  I've learned something here today :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.