The RADIUS part of it is not important to the query, but thought I would explain the context:
I have a linux based radius server that always includes a certain attribute in the "Access-Accept" packet, that one of my network devices does not like. The server does not have an option to disable said attribute. I was looking into the possibility of using a script to modify the outgoing access accept to remove the attribute and recalculate the checksum and Radius authenticator fields.
I will be able to code a python script which creates a UDP socket to listen on and then modify the radius packet as required. The part I am stuck with is:
(A) How to redirect outgoing traffic to my script's socket?
(B) How to ensure source and destination IP/port remain the same?
Doing some research for (A), it looks like we can use iptables to redirect incoming data to a script:
The suggested command in the above link:
iptables -t nat -D PREROUTING -s yourhost -d desthost -p tcp --dport 80 -j REDIRECT --to 10101
However, I need to modify the outgoing data. I am guessing I need to modify PREROUTING to POSTROUTING There also seems to be a NAT keyword. I am unsure how that will affect the IP addresses.
I am also concerned, if my script does send out the modified packet with the same IPs/Ports, will it not hit the iptable rule once again, and get stuck in an infinite loop? How do I avoid this?
For query (B), I suppose using Scapy is an option to ensure IP/port remains the same in the modified packet. If there is an easier option, I would like to know that.
Any help with the above would be truly appreciated.
You have to use the NFQUEUE iptables functionality: if a packet matches your rule, it will be redirected in userspace to a specific queue.
For instance, to intercept all radius packet to your "non-standard" network device:
iptables -A OUTPUT -d <device> -p udp --sport <radius_port> -j NFQUEUE --queue-num 1
Then you have to run a script that binds to the Nfqueue and modifies the packets accordingly.
A small python sample with nfqueue and scapy (you'll need to install the dependancies):
from scapy.all import *
from netfilterqueue import NetfilterQueue
queueId = 1
def doStuff(packet):
[do your packet mangling here]
packet.set_payload(str(modified_packet_payload))
packet.accept()
# bind the callback function to the queue
nfqueue = NetfilterQueue()
nfqueue.bind(queueId, doStuff)
try:
nfqueue.run()
except KeyboardInterrupt:
pass
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.