stackoom
  简体   繁体   中英

Modify data in outgoing UDP packets on linux

 原文  2018-06-07 02:45:47       python/ linux/ sockets/ iptables

Question

The RADIUS part of it is not important to the query, but thought I would explain the context:

I have a linux based radius server that always includes a certain attribute in the "Access-Accept" packet, that one of my network devices does not like. The server does not have an option to disable said attribute. I was looking into the possibility of using a script to modify the outgoing access accept to remove the attribute and recalculate the checksum and Radius authenticator fields.

I will be able to code a python script which creates a UDP socket to listen on and then modify the radius packet as required. The part I am stuck with is:
(A) How to redirect outgoing traffic to my script's socket?
(B) How to ensure source and destination IP/port remain the same?

Doing some research for (A), it looks like we can use iptables to redirect incoming data to a script:

The suggested command in the above link:
iptables -t nat -D PREROUTING -s yourhost -d desthost -p tcp --dport 80 -j REDIRECT --to 10101

However, I need to modify the outgoing data. I am guessing I need to modify PREROUTING to POSTROUTING There also seems to be a NAT keyword. I am unsure how that will affect the IP addresses.

I am also concerned, if my script does send out the modified packet with the same IPs/Ports, will it not hit the iptable rule once again, and get stuck in an infinite loop? How do I avoid this?

For query (B), I suppose using Scapy is an option to ensure IP/port remains the same in the modified packet. If there is an easier option, I would like to know that.

Any help with the above would be truly appreciated.

1 answers

solution1
 0  2018-06-08 18:51:14

You have to use the NFQUEUE iptables functionality: if a packet matches your rule, it will be redirected in userspace to a specific queue.

For instance, to intercept all radius packet to your "non-standard" network device:

iptables -A OUTPUT -d <device> -p udp --sport <radius_port> -j NFQUEUE --queue-num 1

Then you have to run a script that binds to the Nfqueue and modifies the packets accordingly.

A small python sample with nfqueue and scapy (you'll need to install the dependancies): 

from scapy.all import *
from netfilterqueue import NetfilterQueue
queueId = 1

def doStuff(packet):
    [do your packet mangling here]

    packet.set_payload(str(modified_packet_payload))
    packet.accept()

# bind the callback function to the queue
nfqueue = NetfilterQueue()
nfqueue.bind(queueId, doStuff)

try:
    nfqueue.run()
except KeyboardInterrupt:
    pass

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Removing padding from UDP packets in python (Linux) Intercept UDP packets passing through Linux Bridge with Python/iptables Application running on Linux Mint system not receiving udp packets Monitoring outgoing packets with python Outgoing UDP sniffer in python? Best way to send string data using python UDP packets? How can I interpret LiDar data packets coming over UDP? scapy timestamp measurement for outgoing packets Unpacking UDP packets python How to proxy UDP packets?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM