I want to drop outgoing IP packets from my machine based on some criteria. I checked the capabilities provided by iptables but unfortunately it doesn't have what I am looking for.
So what I want is access to packets (at least those generate on my machine and going out). And based on some criteria the ability to drop them.
Should I be looking at modifying the iptables source code to add this functionality OR should I make a Linux kernel module to do this? or is there something else I should look into?
I want some general guidance but any specifics like a particular file in iptables where such functionality can be added will be very useful too!
You can use the NFQUEUE target of the netfilter. It sends packets to a userland program which can parse the payload and return a decision like DROP or ACCEPT.
You can find documentation and examples on the netfilter website.
This functionality is mentionned at the beginning of man iptables...
From what you're describing, it sounds like what you're trying to do could probably be implemented as a new iptables match. You'd have to tell us what conditions you're trying to drop packets based on before we could advise you in more detail, though.
I'm pretty sure iptables could be used to drop packets based on the condition. If the condition is complicated you might need to write your own netfilter plugin (http://netfilter.org/) to augment what can be done with iptables.
Related
I've been reading about iptables for hours and I still don't understand what is it that they're calling a "chain".
I see this word everywhere in the doc and in tutorials and it's still fuzzy to me what they're talking about.
What's a chain?
Chain is nothing but sequence of filter rules maintained by iptables.
INPUT Chain : For packets coming into the system or destined for the
system.
FORWARD Chain : For packets travelling (being routed) through the
system.
OUTPUT Chain : For packets leaving the system or originating from
the system.
To know more about IPTABLES, Visit an article my Linux Blog:
A chain is a sequence of rules applied in order.
There are three built-in chains (INPUT, OUTPUT and FORWARD) and you can create your own to streamline processing for e.g. specific packet types.
I have a pcap file to replay. I want to rewrite packet payload to include a timestamp. How can I do that with tcpreplay or tcprewrite? Is there a default option or should I implement it myself (modifying tcpreplay)? I have been reading these pages for a while and google did not help me either. Thanks in advance
PS: I don't want to modify the original size of the packet, since the data is not important overwriting is fine. If only option is to modify packet size, I am fine with that too.
That kind of editing isn't supported by tcpreplay/tcprewrite, so you'd have to write the code yourself. If you don't mind corrupting your packet data (which sounds like you're ok with) then it should be pretty easy by editing tcpedit.c.
If you are not bound to a command line tool, checkout netdude. It is GTK application which allows you to edit a packet trace using just a few clicks.
Here is a screenshot that shows the dialog to edit the TCP header fields.
(source: sourceforge.net)
The accompanying library libnetdude is the core of netdude. Write your own tool with it if the GUI provided by netdude does not meet your needs.
Current employment only lists currently used Ports in /etc/services. So it's hard to tell where others left off. How can I find, what Port numbers are not listed there?
Do you mean ports of programs actually running on your computer? You may be able to use netstat or lsof to find these.
Or are you simply looking for common ports that your particular /etc/services may be missing? Wikipedia has a list at http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers if you wish to augment yours.
I'm trying to anonymize packets from a pcap file that I have. I need to discard all the packets payloads/content (leaving only header information) and was wondering if there would be a tool that I could use for this (on Linux)? I have thought about using tcpdump with specifying the snaplen but with the header length changing, I don't think that would work.
If there isn't a tool that could accomplish this, a point in the direction of what library for coding would be best(easiest) would work as well. I'd rather not take that route since I have virtually no experience in network programming.
Any help is much appreciated.
You don't need any network programming experience to anonymize the packets. The format of the output file is well documented in the pcap-savefile(5) manpage. You will need to lookup the layouts of the various protocols you'll be handling in order to identify what fields need to be anonymized. You should also look at the link layer header types documentation at tcpdump.org to help you get started.
EDIT: Also look at libpcap itself... according to the pcap-savefile manpage:
NOTE: applications and libraries
should, if possible, use libpcap to
read savefiles, rather than having their own code to read
savefiles.
If, in the future, a new file format is supported by libpcap,
applica-
tions and libraries using libpcap to read savefiles will be
able to
read the new format of savefiles, but applications and
libraries using
their own code to read savefiles will have to be changed to
support the
new file format.
I simply need to associate an extension number to an ip-address on an H.225 message.
I have already recording RTP payloads, converting, mixing, everything but today, my extensions need to be ip-fixed .
All i need is the ext. number.
C/C++ code is welcome.
Thanks a lot
The association between IPs an E.164 numbers in H.323 is done through the gatekeeper. Take a look at the GNU Gatekeeper.