Contact Us

Contact Us



Pleas confirm by checkbox


NetworkingSDNTechnical

Introduction to Packet Interception Using Netfilter

Author_img
By Harshadmulmuley May 17, 2016

In the first blog of this series, we will focus on the concept of packet interception in user space and later on we will also look into use cases pertaining to this concept.

Such a user space agent can be developed using C (Python also has a similar set of libraries.) on a linux based OS.

Following external libraries would be required:

* libnfnetlink: A low level library for kernel/userspace communication

* libnetfilter_queue: A userspace library providing an API for packets queued by kernel

* libmnl: Internally used by libnetfilter_queue

Additionally, a command line utility called IPTABLES is also needed in order to install rules.

Installation steps

Following steps are sufficient to manually install these libraries:

mkdir /some/path/libs
cd /some/path/libs
git clone git://git.netfilter.org/libnfnetlink.git
git clone git://git.netfilter.org/libnetfilter_queue.git
cd libnfnetlink
./autogen.sh
./configure --prefix=/usr
make
sudo make install
sudo apt-get install libmnl-dev
cd ../ libnetfilter_queue
./autogen.sh
./configure --prefix=/usr
make
sudo make install

The IPTABLES utility is installed by default and is set to allow all traffic. Also, note that the iptables command can be useful only when run as root.

Concept

The task of delegating the decision on packets to a user space agent can be done using IPTABLES tool. The command required for doing this is:

sudo iptables -A OUTPUT -p ip -j NFQUEUE –queue-num 0

Options used above signify:

* -A : append a new rule to iptables (OUTPUT rule in this case)

* -p : protocol (IP)

* -j: Target for the packets (NFQUEUE number 0 is the target here)

Using the above command, we inform the kernel that all the outgoing packets should be added to a queue NFQUEUE (Netfilter queue) with queue-number as 0.

After this is done, it is the responsibility of the agent to listen to the NFQUEUE number 0 and issue a verdict on the packets in this queue thus giving them back to kernel space. Verdict setting is done using libnetfilter_queue capabilities.

A verdict can be any of the following:

* NF_ACCEPT: let the packet pass

* NF_DROP: drop the packet

* NF_STOLEN: take the packet and don’t let it pass

* NF_QUEUE: queue the packet

* NF_REPEAT: call the hook again

In the next blog, we will be looking into a simple agent in C which can modify, forward or drop an IP packet.


 

Related posts
Setup of FreeRADIUS Server Using Raspberry Pi3
Networking

Setup of FreeRADIUS Server Using Raspberry Pi3

By shekhar.wagh June 16, 2020
Android local networking using NSD
Networking

Android local networking using NSD

By shekhar.wagh December 01, 2016
WiFi direct – android local networking
Networking

WiFi direct – android local networking

By shekhar.wagh December 01, 2016
Android WiFi direct service discovery
Networking

Android WiFi direct service discovery

By shekhar.wagh December 01, 2016
Packet Interception Application: Simple Firewall
Networking

Packet Interception Application: Simple Firewall

By shekhar.wagh May 24, 2016
Packet Interception Application: Elephant flow detection in SDN
Networking

Packet Interception Application: Elephant flow detection in SDN

By shekhar.wagh May 17, 2016

Stay updated

Get the latest creative news from Fubiz about art, design and pop-culture.