Jumps in firewall rule sets - firewall

I have a general question regarding software-based firewalls.
Specifically, I would like to know whether there are other firewalls than iptables
which allow the specification of jumps inside of the rule set.
In iptables, users have the possibility to specify "jumps" inside of the rule set by targeting specific chains when a rule matches on a packet.
For example, in the following rule set
(1) iptables -A INPUT --src 1.2.3.4 -j ACCEPT
(2) iptables -A INPUT --src 1.2.3.5 -j ACCEPT
(3) iptables -A INPUT --src 1.2.3.6 -j ACCEPT
(4) iptables -A INPUT --src 8.8.8.8 -j NEXT_CHAIN
(5) iptables -A INPUT --src 2.2.2.2 -j ACCEPT
(6) iptables -A INPUT --src 2.2.2.3 -j ACCEPT
<NEXT_CHAIN starts here ...>
rule (4) redirects packet processing to another rule set named "NEXT_CHAIN".
In other words, rules (5) and (6) are skipped (in some sense, if there is a match in NEXT_CHAIN).
I think this is also possible in iptables' predecessor ipchains.
Do you know whether there are any other firewalls that provide a similar feature?

The other main competitor to iptables is pf, which has similar capabilities to iptables.

Linux firewalls are built around Netfilter; the kernel's network packet processing framework which is made of several kernel modules performing specific tasks like:
The FILTER module (always loaded by default) mainly allows us to ACCEPT or DROP IP packets based on a certain matching criteria.
The NAT module set allows us to perform Network Address Translations (SNAT, DNAT, MASQUERADE).
The MANGLE module allows us to alter certain IP packet fields (TOS, TTL)
Users configure the Netfilter framework ("kernel mode") to suit their firewall needs using iptables which is an "userland" application run from the command line. With iptables we define rules that instruct the Linux kernel what to do with IP packets when they arrive into, pass through, or leave our Linux box.
All the Linux based firewalls are based in Netfilter and most of them use iptables as a way to control Netfilter.
Different technologies use a similar strategy; i.e. in BSD (OpenBSD) the kernel module is called PF (Packet Filter) an the "userland" application for controlling PF is called pfctl
Depending what technology you use you have one or the other; both systems do basically the same and of course they both can perform the jumps you mention. Remember a firewall in Linux or BSD is just a set of rules loaded by the corresponding userland application which set the behavior of the corresponding net traffic control kernel engine.
also consider when you jump into a user defined chain you can also "return"

I did some research on other packet filtering systems, and I found out the following:
OpenBSD's pf can implement some sort of control using conditional anchors:
EXAMPLE: anchor udp-only in on fxp0 inet proto udp
The OpenFlow switch provides direct jumps by using GOTO targets
NetBSD's ipfw provides the skipto action
Each of these features allows to modify the control flow during packet classification and can be used to implement JUMP semantics.

Related

merging tcpdump from two different interfaces

Can you please help me to get an idea, how to do the following requirement?
I have two ethernet ports on a server. Eth0 and Eth1. Both interfaces are carrying traffic. I want to capture packet-dump both of the interfaces and merge into one file.
Thank you
Luke
As the answers to Tcpdump on multiple interfaces provide, which #Marged linked to above, you can run tcpdump (or tshark or dumpcap) specifying -i any as the interface if you don't mind capturing traffic on all interfaces. And if you only want traffic on those 2 specific interfaces, then you can simultaneously run 2 separate instances of the capture tool, one capturing on the eth0 interface, the other capturing on the eth1 interface and then merge the two capture files together using a tool such as mergecap.
Alternatively - and much simpler in my opinion - is to just use a single instance of either dumpcap or tshark to capture traffic on both interfaces to a single capture file with no merging of separate capture files needed at all. As the man pages for those tools indicate, "This option can occur multiple times. When capturing from multiple interfaces, the capture file will be saved in pcapng format."
For example:
tshark -i eth0 -i eth1 -w eth0_eth1.pcapng

Can I intercept network packets with a raw socket (not only sniff)?

This is my first time using raw sockets (yes, I need to use them as I must modify a field inside a network header) and all the documentation or tutorials I read describe a solution to sniff packets but that is not exactly what I need. I need to create a script which intercepts the packet, process it and sends it further to the destination, i.e. the packets should not reach the destination unless my script decides to.
In order to learn, I created a small prototype which detects pings and just prints "PING". I would expect ping not to work as I intercept the packets and I don't include the logic to send them to its destination. However ping is working (again, it seems as it is just sniffing/mirroring packets). My goal is that the ping packets are "trapped" in my script and I don't know how to do that. This is what I do in my current python script (I avoid writing how I do the decode for simplicity)
sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0003))
sock.bind((eth0, 0))
packet = sock.recvfrom(65565)
decode_eth(packet)
decode_ip(packet)
if (ipheader.ip_proto == 1):
print("\nPING")
Can somebody explain how can I achieve my goal or point me to the right documentation?
Your description seems to be different from what your title suggest. My understanding is that you want to receive, modify and possibly drop incoming network packets. And this is to be done on Linux. In that case I suggest you use a netfilter prerouting hook, which will make things a lot simpler (and likely more stable). Netfilter is well documented, a nice overview including information related to your requirements can be seen here. The important function to use is nf_register_hook(), read the answer to this question to get an idea of how to set things up.
I suppose that your Linux box is configured as a router (not a bridge). The packet will pass through your Linux because you have enabled IP Forwarding. So there are two solution:
Solution 1:
Disable IP Forwarding and then receive the packet from one interface and do the appropriate task (forwarding to another interface or dropping it).
Solution 2:
Use NetFilterQueue.
Install it on your Linux box (Debian/Ubuntu in my example):
apt-get install build-essential python-dev libnetfilter-queue-dev
Use iptables to send packets coming from input interface (eth0 in my example):
iptables -I INPUT -i eth0 -j NFQUEUE --queue-num 1
Run this script to handle packets forwarded to the Queue No.1 :
from netfilterqueue import NetfilterQueue
def print_and_accept(pkt):
print pkt
pkt.accept()
nfqueue = NetfilterQueue()
nfqueue.bind(1, print_and_accept)
try:
nfqueue.run()
except KeyboardInterrupt:
print
Note that pkt.drop() cause dropping the packet. Also you should accept/drop every packet.

Use of -m option in ping

What is the use of ping -m option? I read the ping man page but I am unable to understand. After googling, I saw that if -m option is used, then SO_MARK option is added to the socket. So, what is the use of this option and when should we use it?
Thanks in advance.
On Linux, the SO_MARK is used to mark outgoing packets:
SO_MARK (since Linux 2.6.25)
Set the mark for each packet sent through this socket (similar
to the netfilter MARK target but socket-based). Changing the
mark can be used for mark-based routing without netfilter or
for packet filtering. Setting this option requires the
CAP_NET_ADMIN capability.
So if you ping with that option :
$ping -m 10 <host>
It can then be filtered with iptables on <host>:
$iptables -A INPUT -m mark --mark 0xa -j ACCEPT
or directly in code with getsockopt().
It can be used for a variety of reasons, for example for routing decisions or network debug.
Option -m exists only on OSX machines.
It allows you to set the IP Time To Live for outgoing packets. If not specified, the kernel uses the value of the net.inet.ip.ttl MIB variable.
TTL value defines how many hops between routers can packet do.

How can you filter packets by content using native Linux tools such as netfilter?

I am aware that you can use netfilter to filter out packets based on address, protocol, and other things. My question is can you use netfilter (or some other native Linux utility) that will allow you to filter packets based on content. The filtering should be done on the client side, which is running linux with root access.
For example (for purposes of this discussion), let's say I would like to DROP all incoming UDP packets that have the word "porn" in the body of the packet (assume no compression, no ssl, and we are only trying to catch packets with this word in ASCII/plain-text in body of packet). Is there a way to create a iptable, netfilter, related rule to drop these incoming UDP packets?
You can use the iptables string module to look for an string anywhere in the packet (including the headers).
For example, to filter the example you have pointed:
iptables -I INPUT -p udp -m string --string "porn" --algo bm -j DROP
More info about this usefull module here.
The kpcre module allows of packet content filtering using regular expressions.
For example, to filter the example you have pointed:
iptables -I INPUT -p udp -m string --string "/porn/i" --algo regex -j DROP
The string "/porn/i" denotes case insensitive "porn" string.

Accepting packets in user-space from netfilter

I want to capture all tcp packets on port 80 that are going to a forward address and pass them into a user-space program for mangling. I know how to do this with an IPtables rule such as
iptables -A FORWARD ... -j NFQUEUE --queue-num 10
but i can't seem to find any examples, and there is a time restriction, so I can't just sift through wireshark code. I'm looking for examples, or even a place to start. Can I use sockets? or is there a kernel data structure that I can use to pop packets off of the stack, and once I'm done, how can I pass the packets back to netfilter?
You can write a kernel module that registers for queued packets for a certain protocol.
You can read the netfilter-hacking-HOWTO, page 25 has a section "Processing Queued Packets". This section discusses at a higher level but answers everything you asked.
Download it from:
http://www.netfilter.org/documentation/index.html#documentation-howto
you can use nf_reinject() to let the packet get processed further.
I don't want to repeat whatever is in this guide but this should be enough to start with.

Resources