I have to create simple python firewall or at least extended access control list like on Cisco program running on kali linux with newest python version.
I already have python sniffer using socket and struck and that works. Now i just need the program to decide when forward a packet if it follows some rules like source IP address or source port. In my sniffer i already extracted the ethernet, IP, TCP, UDP headers so i am able to make the decision for ACL based on it's fields successfully. Now i just need the program to drop and not forward it when decided.
I tried netfilterqueue, iptables, netfilter libraries but that doesn't seem to be working with python 3.11 and i'm worried that downgrade will disrupt my currently working sniffer. So is there a way to code a firewall or ACL with python 3.11 or 3.10 ?
This is a part of code i use to capture packet for deep inspection but then i have to extend it with firewall rules for forwarding decisions. Is there a chance to do it using socket. The if statement is an example of what i'm trying to achieve and that's force the program to drop the packet.
import socket
import struct
forbidden_ip = 192.168.1.5
interface = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0800)) # Linux
while True:
packet = interface.recvfrom(65565)
ip_header = struct.unpack("!BBHHHBBH4s4s", (packet[0][14:34]))
srcip = socket.inet_ntoa(ip_header[8])
dstip = socket.inet_ntoa(ip_header[9])
if srcip == forbidden_ip:
# now i need to drop the packet. iptables and netfilterqueue does not work for python 3.10 and 11
else:
continue
Related
I'm working on a custom yocto Linux for a Raspberry PI 3 and try to get the WIFI connection working with SSH. However when trying to connect from my PC (Ubuntu 19.10, SSH OpenSSH_8.0p1 Ubuntu-6build1, OpenSSL 1.1.1c 28 May 2019) to the PI on which Dropbear v2019.78 runs, the connection attempt times out. But only when I try this via SSH, and via wlan0. Other TCP/IP traffic works, and also using the same participants but with eth0. As this is for a robot, I would prefer to not use a tether though...
To try & debug this, I
enabled a serial console so I can work on the PI
disabled eth0
started a tcpdump on the PI (ip.host == 192.168.0.105)
started a tcpdump on the PC (ip.host == 192.168.0.106)
used a dirt-simple TCP/IP socket example written in Python (taken from https://realpython.com/python-sockets/#echo-server) to verify I can in fact communicate. The transmission is successful. I am aware that the example is lacking (no proper protocol etc), but that's not the point of it. It just works enough. The PI runs the server listening on port 2222.
attempted a SSH connection, it timed out.
I filtered the resulting PCAP down to contain just TCP, as there is other information (e.g. Dropbox discovery) that I don't think matters and might potentially be information leaking. On the host side (enp4s0-tcp-and-pi.pcap) I also filtered with ip.host == 192.168.0.105 to only contain any traffic to the PI.
Another note on my setup here: I use a TP-Link router which LAN ports the PC is connected to, and who provides the 2.4GHz WIFI for the PI. So both are part of the same subnet, and no special routing or anything is configured.
Also I stopped the dropbear daemon and adapted my Python code to use port 22. It works.
I'm only broadly aware of the inner workings of TCP, so I can't really make much sense of the things I see here. Any insights are more than welcome.
https://www.dropbox.com/s/5o4rqr5zdws2wq7/wlan0-tcp-only.pcap?dl=0
https://www.dropbox.com/s/amypjtk1nvja4qb/enp4s0-tcp-and-pi.pcap?dl=0
Since i do not have access to other layers, i would like to know the most efficient way to block an ip address from connecting to a Ubuntu 18.04 server. To the box itself, they are most likely connecting to port 80. However i would like to block access across all ports to this ip address.
I am aware of adding a record in iptables. By most efficient i mean, the least amount of layers the packet goes through. Kind of like blocking using iptables happens before block using an apache config on the webserver itself.
Are there any other better ways?
Thanks
No. The most efficient way to block the host will be iptables since it is both operating at the kernel level and acting immediately after the packet is received and before it is handed to any application.
iptables -A INPUT -s bad.host.ip.address -j DROP
I use Wireshark to capture the traffic for browsing a certain website and use ip.src and ip.dst to get correct traffic.
I'd like to do this programmatically using Scapy. Anyone know how to achieve this?
Using Scapy and its wonderful documentation, create a Python script. In the script, define a function that will act as a callback handler for received packets and in the main portion of the script make use of the sniff() function:
def packetReceived(packet):
print("Packet received!")
sniff(filter="host xx.xx.xx.xx and host xx.xx.xx.xx and tcp port 80", prn=packetReceived)
Obviously, change the BPF filter to match the hosts you're targeting.
I want to test how the netfilter/ip6tables firewall handles some IPv6-related stuff like tiny/overlapped fragments, type 0 routing headers, excessive HPH options etc. For this I wanted to use Scapy to craft my own packets, but apparently Scapy using raw sockets means bypassing iptables. Is there another way of achieving my goal and how would I go about it? Some library I could use to make my own packets, which iptables can act on?
Run your packet injection program from a VM, and inspect the network connected to that VM.
Scapy is useful for such odd tasks. Sometimes what you want to do is just as easily done by writing small programs using the normal C APIs (including raw sockets in some cases, or TCP connections with odd options set). In many cases, a trivial TCP or UDP client in any high level language such as Python will do.
I would like to create a demo with the following topology:
... --->[switch] <---> [Host]
DEMO: A switch sends a packet to a monitoring Host (The packets original destination is not this Host, yet switch will send to it via a mirror port). The monitor-Host is to capture that packet, do something with it (e.g., just dump the L2-L4 header fields into some log file), and then send the original packet back towards the switch.
Host Environment: Ubuntu 12.04 Linux.
Dilemma: What's the simplest way I can capture the packet in Host and send back the original packet to the switch?
Possibilities to Explore:
Create a packet sniffer program in C (looks complex ... libpcap, AF_Packet sockets etc.).
Try to use python scapy (don't know how complex this will be).
Try to install some open source proxy server of some kind to which I can write a plugin that will examine the captured packets.
Question: Any better recommendations (if I can avoid going the programming route, it would be preferred. Is there any simple scripting method to do this?). Looking for a quick-and-dirty method here. Thanks.
well, you can use packets sniffers available such as wireshark, ettercap which will capture all network packets (using promisc mode) and dump them in readable format.
Or, you can preety much easily code sniffer for yourself in python, linux which is not so much complex to understand..