Packet mangling utilities besides iptables?
I haven't used it, but the QUEUE netfilter target looks like it might work. It uses an nflink socket and a userspace application registered to the socket to perform the payload modifications.
The libipq man page contains details on how to use this and provides a simple example.
SNMP payload address translation
Possible DIY solution from Robert Gamble here: Packet mangling utilities besides iptables?
Updates and more praise to come after a bit of unit testing -- thanks, Robert!
Packet Redirection on Windows
From the MSDN:
Netsh is a command-line scripting utility that allows you to, either
locally or remotely, display or modify the network configuration of a
computer that is currently running.
You can redirect connections coming to any port to another local (or remote) port with the command:
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
Also, as stated in this SO post, netsh is a good replacement for iptabes on Windows.
rfc 2694 DNS_ALG implementation on nAT(iptables) , anyone?
The QUEUE and NFQUEUE iptables targets pass the packet to a user-mode process, which is then free to drop the packet or modify it before sending on its way. The netfilter project provides a C library to take care of getting packets in/out of the kernel for you; there are high-level bindings available too (python-libnetfilter-queue and nfqueue-bindings cater for Python and Perl respectively).
Alternatively, write a proxy to sit in front of your nameserver.
BPF: mark in structure __skbuff is not writeable?
The issue is in your tc
commands. You are attaching your filter on the egress side.
The root
parent refers to the egress side, used for traffic shaping. If instead you want to attach your filter on the ingress side, you should use something like this (no handle needed):
# tc qdisc add dev <myInterface> ingress
# tc filter add dev <myInterface> ingress bpf obj bpf.o direct-action
Or, better practice, use the BPF-specific qdisc clsact
, which can be used to attach filters for both ingress and egress (not much documentation on it, besides its commit log and Cilium's BPF documentation (search for clsact
)):
# tc qdisc add dev <myInterface> clsact
# tc filter add dev <myInterface> ingress bpf obj bpf.o direct-action
Is there a way for non-root processes to bind to privileged ports on Linux?
Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE
capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:
setcap 'cap_net_bind_service=+ep' /path/to/program
And then anytime program
is executed thereafter it will have the CAP_NET_BIND_SERVICE
capability. setcap
is in the debian package libcap2-bin
.
Now for the caveats:
- You will need at least a 2.6.24 kernel
- This won't work if your file is a script. (i.e. uses a
#!
line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem. - Linux will disable
LD_LIBRARY_PATH
on anyprogram
that has elevated privileges likesetcap
orsuid
. So if yourprogram
uses its own.../lib/
, you might have to look into another option like port forwarding.
Resources:
- capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
- setcap man page
- "Bind ports below 1024 without root on GNU/Linux": The document that first pointed me towards
setcap
.
Note: RHEL first added this in v6.
Related Topics
Where Is Hardware Timer Interrupt
How to Record What Process or Kernel Activity Is Using the Disk in Gnu/Linux
About Fork and Execve System Call
Merge PDF Files with Numerical Sort
Getting List of Network Devices Inside the Linux Kernel
Help with Understanding a Very Basic Main() Disassembly in Gdb
Identify the Files Opened a Particular Process on Linux
Not Authorized for Query on Admin.System.Namespaces on Mongodb
Matlab on Linux Can't Plot Anything(Can't Load Libstdc++.So.6: Version 'Cxxabi_1.3.8' Not Found)
The Return Code from 'Grep' Is Not as Expected on Linux
Extract Tar the Tar.Bz2 File Error
Does Creating a Symbolic Link to Another Symbolic Link Have Any Side-Effects
Error: Ld.So: Object Ld_Preload Cannot Be Preloaded: Ignored
How to Reinstall the Latest Cmake Version
Use Ssh to Start a Background Process on a Remote Server, and Exit Session