Skip to content

Instantly share code, notes, and snippets.

@guillaumerose
Created April 7, 2011 09:00
Show Gist options
  • Save guillaumerose/907377 to your computer and use it in GitHub Desktop.
Save guillaumerose/907377 to your computer and use it in GitHub Desktop.
Working with netfilter and libnetfilter-queue
TP 3: Working with netfilter and libnetfilter-queue
The objective of this TP is to work with netfilter kernel module creation and user-space processing of queued packets using libnetfilter-queue.
Important: The result of this TP should be sent to: me@bachwehbi.net or anis.laouiti@it-sudparis.eu with TP3-yourname as a subject.
If you don't finish on time, consider it as a homework and send it before Friday April 15 at 8:00PM.
Context:
--------
Whenever the host receives an incomming ssh connection (on port 22), the module drops the packet.
Except when the originator of the connection initiates a TCP connection attempt (TCP Syn) to port 100 (that will be droped as well).
The local host should in this situation open the ssh port for that specific address for a specific duration (you have to choose it).
Exercice 1:
-----------
Use of iptables for queueing packets for processing at user-space.
NOTE: in order to work with libnetfilter-queue you have to install the following packages:
libnfnetlink, libnfnetlink-dev, libnetfilter-queue and libnetfilter-queue-dev
1- Create the iptables rules (use lecture material and the iptables man page for reference)
2- Create the libnetfilter user-space application and test it. The program should be compiled with "-lnetfilter_queue".
(For reference use the lecture material, the documentation and the sample code at http://www.netfilter.org/projects/libnetfilter_queue/doxygen/files.html)
3- For each packet processed at the user space, you have to print the following information: name of incoming interface, the packet arrival time in seconds, length of the packet data, IP address and port number of the source of the packet.
For this exercice you will need to manipulate the IP header structure:
"struct iphdr" defined in <linux/ip.h>
And the TCP header structure: "struct tcphdr" in <linux/tcp.h>
Exercice 2:
-----------
Create and insert a custom made netfilter kernel module.
In this exercice you will get to work with netfilter modules, with socket buffer, and with workqueues.
1- Take the netfilter module code sample in the lecture material as a baseline to create a hook function that looks inside received packets to DROP those that are destined to port 22 and port 100. (For reference use the lecture material and the kernel source index at lxr.linux.no)
2- Record the source IP address of the originator of the TCP connection to port 100 and open the port 22 for this address.
In order to simplify the problem and avoid dealing with arrays of IP addresses, assume that you will receive connection from a single IP address (ask your colleague for his IP address and organize with him to test respectively your and his code).
(For reference use the socket buffer description from the lecture material and at lxr.linux.no)
3- Create a workqueue that allows to close the ssh port in a defined delay once it is opened.
(For reference check the workqueue sample code on moodle).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment