netfilter_queue: how to obtain address info from queued packet

netfilter_queue: how to obtain address info from queued packet

[Michal Martinek]

Hello all,

I am quite a newbie to the netfilter world, so maybe my approach is 
naive. I would like to block communication coming from/to some ports 
according to the content of packets. Unfortunately these ports are not 
static, so port specific netfilter rule cannot be used. So my question is:

Is it possible to obtain some address info (source/destination address 
and ports) from the packet queued from netfilter?


Thanks in advance for any help,

Michal

Re: netfilter_queue: how to obtain address info from queued packet

[Gáspár Lajos]

Michal Martinek írta:
> Hello all,
>
> I am quite a newbie to the netfilter world, so maybe my approach is 
> naive. I would like to block communication coming from/to some ports 
> according to the content of packets. Unfortunately these ports are not 
> static, so port specific netfilter rule cannot be used. So my question 
> is:
>
Do you know the STRING module ?
> Is it possible to obtain some address info (source/destination address 
> and ports) from the packet queued from netfilter?
>
>
> Thanks in advance for any help,
>
> Michal
>
>

Re: netfilter_queue: how to obtain address info from queued packet

[Michal Martinek]

Gáspár Lajos wrote:
> 
> Michal Martinek írta:
>> Hello all,
>>
>> I am quite a newbie to the netfilter world, so maybe my approach is 
>> naive. I would like to block communication coming from/to some ports 
>> according to the content of packets. Unfortunately these ports are not 
>> static, so port specific netfilter rule cannot be used. So my question 
>> is:
>>
> Do you know the STRING module ?

I'm afraid not. Can you give me some explanation (or link)?

>> Is it possible to obtain some address info (source/destination address 
>> and ports) from the packet queued from netfilter?

Re: netfilter_queue: how to obtain address info from queued packet

[Gáspár Lajos]

Michal Martinek írta:
>
>
> Gáspár Lajos wrote:
>>
>> Michal Martinek írta:
>>> Hello all,
>>>
>>> I am quite a newbie to the netfilter world, so maybe my approach is 
>>> naive. I would like to block communication coming from/to some ports 
>>> according to the content of packets. Unfortunately these ports are 
>>> not static, so port specific netfilter rule cannot be used. So my 
>>> question is:
>>>
>> Do you know the STRING module ?
>
> I'm afraid not. Can you give me some explanation (or link)?
Well... :) man iptables...
iptables -A FORWARD -j DROP -p tcp -m string --string 'Some string' 
--algo kmp
>
>>> Is it possible to obtain some address info (source/destination 
>>> address and ports) from the packet queued from netfilter?
>
>

Re: netfilter_queue: how to obtain address info from queued packet

[Michal Martinek]

Gáspár Lajos wrote:
> 
> Michal Martinek írta:
>>
>>
>> Gáspár Lajos wrote:
>>>
>>> Michal Martinek írta:
>>>> Hello all,
>>>>
>>>> I am quite a newbie to the netfilter world, so maybe my approach is 
>>>> naive. I would like to block communication coming from/to some ports 
>>>> according to the content of packets. Unfortunately these ports are 
>>>> not static, so port specific netfilter rule cannot be used. So my 
>>>> question is:
>>>>
>>> Do you know the STRING module ?
>>
>> I'm afraid not. Can you give me some explanation (or link)?
> Well... :) man iptables...
> iptables -A FORWARD -j DROP -p tcp -m string --string 'Some string' 
> --algo kmp

Thanks, I was too fast to answer without looking into man pages:-). But 
this module would just save me some work with analyzing packets. The 
problem is that I would like to detect video stream in which I can 
recognize only some "key packets". The rest is (for me) unrecongnizable 
and I only know that they are coming from/to the same port.

>>
>>>> Is it possible to obtain some address info (source/destination 
>>>> address and ports) from the packet queued from netfilter?
>>
>>
> 
> 

Re: netfilter_queue: how to obtain address info from queued packet

[Gáspár Lajos]

Michal Martinek írta:
>
> Thanks, I was too fast to answer without looking into man pages:-). 
> But this module would just save me some work with analyzing packets. 
> The problem is that I would like to detect video stream in which I can 
> recognize only some "key packets". The rest is (for me) 
> unrecongnizable and I only know that they are coming from/to the same 
> port.
>
Well... It is not really clear to me what you want... :-) (Blocking some 
"communication" :-) .)
You can drop the whole connection when you detect for example a header 
of a video stream....
This could be dangerous because you would drop some legitimate traffic too.
That is why you have to narrow your matching criterias. (eg.: adding 
some rules like "-i eth0" or "-s 192.168.0.1")
An other good thing to look after is the l7 patch:

http://l7-filter.sourceforge.net/HOWTO

But there may be better solutions if you would clarify more your needs :)

Swifty

Re: netfilter_queue: how to obtain address info from queued packet

[Cedric Blancher]

Le mardi 23 janvier 2007 à 11:18 +0100, Michal Martinek a écrit :
> > Do you know the STRING module ?
> I'm afraid not. Can you give me some explanation (or link)?

http://www.google.com/search?q=netfilter+string

By the way, string match is completely irrelevant to your question as it
would allow you to match a given packet with a fixed already known
value, not to extract a value you don't know from the packet.

What you want to achieve is a conntrack helper. You can have a look at
existing ones, such as ip_conntrack_ftp, ip_conntack_irc, etc. You could
also use QUEUE target to do the job in userland.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: netfilter_queue: how to obtain address info from queued packet

[Michal Martinek]

Cedric Blancher wrote:
> Le mardi 23 janvier 2007 à 11:18 +0100, Michal Martinek a écrit :
>>> Do you know the STRING module ?
>> I'm afraid not. Can you give me some explanation (or link)?
> 
> http://www.google.com/search?q=netfilter+string
> 
> By the way, string match is completely irrelevant to your question as it
> would allow you to match a given packet with a fixed already known
> value, not to extract a value you don't know from the packet.
> 
> What you want to achieve is a conntrack helper. You can have a look at
> existing ones, such as ip_conntrack_ftp, ip_conntack_irc, etc. You could
> also use QUEUE target to do the job in userland.

Thanks for help, I've already written some userspace packet analyzer 
acting as a NFQUEUE target, but the problem is, that not all of the 
packets I'd like to handle (mostly drop) are recognizable. It is a video 
stream, in which I can detect only some "key packets", but the rest 
remains unclear.

The easiest would be (at least I think), to drop everything on the port 
where I've detected those "key packets". But I don't know how to obtain 
the port number inside the (NF)QUEUE handler.

Do you think, that conntrack helper will help me with it?

Re: netfilter_queue: how to obtain address info from queued packet

[Cedric Blancher]

Le mardi 23 janvier 2007 à 12:53 +0100, Michal Martinek a écrit :
> Thanks for help, I've already written some userspace packet analyzer 
> acting as a NFQUEUE target, but the problem is, that not all of the 
> packets I'd like to handle (mostly drop) are recognizable. It is a video 
> stream, in which I can detect only some "key packets", but the rest 
> remains unclear.

OK, so if I understand you correctly... You have a video stream
containing key packets you can spot. This video stream occurs on non
predictable ports.

First solution, and apologies to Gáspár, use string match to identify
your key packets. Then mark the entire connection using CONNMARK and
drop it.

Something like:

	iptables -t mangle -A FORWARD -m string --string "yourmagic" \
		-j CONNMARK --set-mark 0x1
	iptables -A FORWARD -m connmark --mark 0x1 -j DROP

This means once you've detected a key packet, you'll drop it as well as
all further packets from the same connection.

Second solution, you write a helper. Maybe I don't quite well get your
situation, but this stream does not come from nowhere. It's ports have
to be negociated in some previous connection so your client application
can open the right port. Thus, your helper would follow this negociation
connection to identify on the fly streaming ports and block the entire
video stream.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: netfilter_queue: how to obtain address info from queued packet

[Michal Martinek]

Thanks a lot!

The solution with CONNMARK seems to be exactly what I need. It is also 
much better than drop everything on a given port :-).

Have a nice day,

Michal

Cedric Blancher wrote:
> Le mardi 23 janvier 2007 à 12:53 +0100, Michal Martinek a écrit :
>> Thanks for help, I've already written some userspace packet analyzer 
>> acting as a NFQUEUE target, but the problem is, that not all of the 
>> packets I'd like to handle (mostly drop) are recognizable. It is a video 
>> stream, in which I can detect only some "key packets", but the rest 
>> remains unclear.
> 
> OK, so if I understand you correctly... You have a video stream
> containing key packets you can spot. This video stream occurs on non
> predictable ports.
> 
> First solution, and apologies to Gáspár, use string match to identify
> your key packets. Then mark the entire connection using CONNMARK and
> drop it.
> 
> Something like:
> 
> 	iptables -t mangle -A FORWARD -m string --string "yourmagic" \
> 		-j CONNMARK --set-mark 0x1
> 	iptables -A FORWARD -m connmark --mark 0x1 -j DROP
> 
> This means once you've detected a key packet, you'll drop it as well as
> all further packets from the same connection.
> 
> Second solution, you write a helper. Maybe I don't quite well get your
> situation, but this stream does not come from nowhere. It's ports have
> to be negociated in some previous connection so your client application
> can open the right port. Thus, your helper would follow this negociation
> connection to identify on the fly streaming ports and block the entire
> video stream.
> 
>