[PATCH] netfilter "Take what you sent to me" target
Emmanuel Roger
winfield@freegates.be
Mon, 21 Feb 2000 23:38:28 +0100
This is a multi-part message in MIME format.
--------------724144DE008DB955E07848C5
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Rusty Russell
wrote:
>
> In message <3886417C.88423CAE@freegates.be> you write:
> > It may be used in defeating/replying to DoS attacks or for fun to test
> > your own machine by
> > eg: portscanning a machine which has this target (it portscans you and
> > return you the correct results).
>
> I like it; it's twisted, but a good example.
>
> If I may make some suggestions:
>
> 1) Any chance for a 0.90 port? Should be easy.
Ported.
> 2) Rename to ipt_MIRROR perhaps?
Better name, my english is not as better as I
would.
> 3) Check that output route is same interface as incoming? (Don't let
> someone use this to break through your firewall!)
Checked.
> 4) Don't need checksum recalc for just swapping src and dst IPs.
Suppressed.
I hope it is correct
now.
Emmanuel
Roger
Changelog
entry
---------------
1999-11-14 Emmanuel Roger
<winfield@freegates.be>
* packet-filter/extensions/ipt_MIRROR.c: Target which resends ip
packets to the
sender with inversed src and dest
address.
---
Hi! I'm a .signature virus! Copy me into your ~/.signature,
please!
---
--------------724144DE008DB955E07848C5
Content-Type: text/plain; charset=us-ascii;
name="MIRROR.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="MIRROR.diff"
diff -u -r --new-file netfilter-0.90.1/packet-filter/extensions/Makefile own-netfilter-0.90.1/packet-filter/extensions/Makefile
--- netfilter-0.90.1/packet-filter/extensions/Makefile Sun Jan 30 05:11:06 2000
+++ own-netfilter-0.90.1/packet-filter/extensions/Makefile Mon Feb 21 23:02:33 2000
@@ -1,6 +1,6 @@
#! /usr/bin/make
-PF_EXT_KERN:=tcp udp icmp mac limit REJECT LOG unclean QUEUE state multiport
+PF_EXT_KERN:=tcp udp icmp mac limit REJECT LOG unclean QUEUE state multiport MIRROR
PF_EXT_SLIB:=tcp udp icmp mac limit standard LOG unclean QUEUE state multiport
KERN_TARGETS+=$(foreach T,$(PF_EXT_KERN),packet-filter/extensions/ipt_$(T).o)
SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),packet-filter/extensions/libipt_$(T).so)
diff -u -r --new-file netfilter-0.90.1/packet-filter/extensions/ipt_MIRROR.c own-netfilter-0.90.1/packet-filter/extensions/ipt_MIRROR.c
--- netfilter-0.90.1/packet-filter/extensions/ipt_MIRROR.c Thu Jan 1 01:00:00 1970
+++ own-netfilter-0.90.1/packet-filter/extensions/ipt_MIRROR.c Mon Feb 21 22:44:10 2000
@@ -0,0 +1,131 @@
+/*
+ This is a module which is used for resending packets with inverted src and dst.
+
+ Based on code from: ip_nat_dumb.c,v 1.9 1999/08/20
+ and various sources.
+
+ Copyright (C) 2000 Emmanuel Roger <winfield@freegates.be>
+
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by the
+ Free Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software Foundation,
+ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/ip.h>
+#include "packet-filter/kernel/ip_tables.h"
+#include <linux/netdevice.h>
+#include <linux/route.h>
+struct in_device;
+#include <net/route.h>
+EXPORT_NO_SYMBOLS;
+
+static int route_mirror(struct sk_buff *skb)
+{
+ struct iphdr *iph = skb->nh.iph;
+ struct rtable *rt;
+
+ if (ip_route_output(&rt, iph->daddr, iph->saddr,
+ RT_TOS(iph->tos) | RTO_CONN,
+ skb->sk ? skb->sk->bound_dev_if : 0)
+ ) {
+ return -EINVAL;
+ }
+ /* check if the interface we are living by is the same as the one we arrived on */
+
+
+ if (strcmp(skb->rx_dev->name, rt->u.dst.dev->name)) {
+ /* Drop old route. */
+ dst_release(skb->dst);
+ skb->dst = &rt->u.dst;
+ return 0;
+ }
+ else return -EINVAL;
+}
+
+static int
+ip_rewrite(struct sk_buff *skb)
+{
+ struct iphdr *iph = skb->nh.iph;
+ u32 odaddr = iph->saddr;
+ u32 osaddr = iph->daddr;
+
+
+ /* Rewrite IP header */
+ iph->daddr = odaddr;
+ iph->saddr = osaddr;
+
+ return 0;
+}
+
+
+static unsigned int ipt_mirror_target(struct sk_buff **pskb,
+ unsigned int hooknum,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *targinfo)
+{
+ if ((*pskb)->dst != NULL)
+ {
+ if (!ip_rewrite(*pskb) && !route_mirror(*pskb))
+ {
+ ip_send(*pskb);
+ return NF_STOLEN;
+ }
+ }
+ return NF_ACCEPT;
+}
+
+#ifdef DEBUG_CONNTRACK
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+static int ipt_mirror_checkentry(const char *tablename,
+ void *targinfo,
+ unsigned int targinfosize,
+ unsigned int hook_mask)
+{
+ if (targinfosize != 0) {
+ DEBUGP("MIRROR: targinfosize %u != 0\n", targinfosize);
+ return 0;
+ }
+
+ return 1;
+}
+
+
+static struct ipt_target ipt_mirror_reg
+= { { NULL, NULL }, "MIRROR", NETFILTER_VERSION,
+ ipt_mirror_target, ipt_mirror_checkentry, THIS_MODULE };
+
+int __init init(void)
+{
+ if (ipt_register_target(&ipt_mirror_reg))
+ return -EINVAL;
+
+ return 0;
+}
+
+void __exit cleanup(void)
+{
+ ipt_unregister_target(&ipt_mirror_reg);
+}
+
+module_init(init);
+module_exit(cleanup);
+
+
+
--------------724144DE008DB955E07848C5--