Packet Mangling Utilities Besides Iptables

Packet mangling utilities besides iptables?

I haven't used it, but the QUEUE netfilter target looks like it might work. It uses an nflink socket and a userspace application registered to the socket to perform the payload modifications.

The libipq man page contains details on how to use this and provides a simple example.

SNMP payload address translation

Possible DIY solution from Robert Gamble here: Packet mangling utilities besides iptables?

Updates and more praise to come after a bit of unit testing -- thanks, Robert!

Packet Redirection on Windows

From the MSDN:

Netsh is a command-line scripting utility that allows you to, either
locally or remotely, display or modify the network configuration of a
computer that is currently running.

You can redirect connections coming to any port to another local (or remote) port with the command:

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport

Also, as stated in this SO post, netsh is a good replacement for iptabes on Windows.

rfc 2694 DNS_ALG implementation on nAT(iptables) , anyone?

The QUEUE and NFQUEUE iptables targets pass the packet to a user-mode process, which is then free to drop the packet or modify it before sending on its way. The netfilter project provides a C library to take care of getting packets in/out of the kernel for you; there are high-level bindings available too (python-libnetfilter-queue and nfqueue-bindings cater for Python and Perl respectively).

Alternatively, write a proxy to sit in front of your nameserver.

BPF: mark in structure __skbuff is not writeable?

The issue is in your tc commands. You are attaching your filter on the egress side.

The root parent refers to the egress side, used for traffic shaping. If instead you want to attach your filter on the ingress side, you should use something like this (no handle needed):

# tc qdisc add dev <myInterface> ingress
# tc filter add dev <myInterface> ingress bpf obj bpf.o direct-action

Or, better practice, use the BPF-specific qdisc clsact, which can be used to attach filters for both ingress and egress (not much documentation on it, besides its commit log and Cilium's BPF documentation (search for clsact)):

# tc qdisc add dev <myInterface> clsact
# tc filter add dev <myInterface> ingress bpf obj bpf.o direct-action

Is there a way for non-root processes to bind to privileged ports on Linux?

Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:

setcap 'cap_net_bind_service=+ep' /path/to/program

And then anytime program is executed thereafter it will have the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.

Now for the caveats:

  1. You will need at least a 2.6.24 kernel
  2. This won't work if your file is a script. (i.e. uses a #! line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem.
  3. Linux will disable LD_LIBRARY_PATH on any program that has elevated privileges like setcap or suid. So if your program uses its own .../lib/, you might have to look into another option like port forwarding.


  • capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
  • setcap man page
  • "Bind ports below 1024 without root on GNU/Linux": The document that first pointed me towards setcap.

Note: RHEL first added this in v6.

Related Topics

Leave a reply