I develop an application to inspect packets arriving on a linux machine. I would like to send in NFQUEUE all the incoming connection packets and only the incoming ones. Not only --state NEW but also --state ESTABLISHED, RELATED for connections that are initiated by a client.

One last thing, to make the tcp handshake for all ports I need this rule to works in addition:

iptables -A PREROUTING -t nat -p tcp -match multiport! --dport 64646 -j REDIRECT --to-ports 1234

Flow example:

  1. ssh connection (port 22) initiated by to my server
  2. server passes in nfqueue the SYN and accept
  3. redirect rule (22 -> 1234)
  4. python script is listening on port 1234 so SYN/ACK is sent
  5. client gets SYN/ACK and returns ACK
  6. server passes in nfqueue the ACK and accept
  7. redirect rule (22 -> 1234)
  8. the client returns ACK, DATA
  9. server passes in nfqueue the ACK/DATA
  10. redirect rule (22 -> 1234)
  11. server does not know the protocol and always returns the same message, the connection is closed.

Any help would be very appreciated.

Thank you!

I found the solution if it interests someone.

# Accept our ssh on a modified port
iptables -A PREROUTING -t raw -p tcp --dport 64646 -j ACCEPT

# Mark all packets of incoming NEW connection with mark 1 (netfilter connmark)
iptables -A PREROUTING -t mangle -m state --state NEW -j CONNMARK --set-mark 1

# Push into nfqueue all marked packets (netfilter nfqueue)
iptables -A PREROUTING -t mangle -m connmark --mark 1 -j NFQUEUE --queue-num 0

# Redirect all incoming connections to the userland listener to make TCP handshake
iptables -A PREROUTING -t nat -p tcp --match multiport ! --dport 64646 -j REDIRECT --to-ports 1234

Finally all the incoming packets go into nfqueue but if I work on the machine (update, upgrade, install...) packets do not match the rules. In addition the redirection applies after nfqueue decision, so I log the base port (not 1234).

If you want to match all the incoming packets from new or established connections, but only from your clients you should use something like this:

iptables -A INPUT -d <your_ip_address> -s <your_client_net>/<mask> -i <your_eth> -J <nfqueue stuff>

Actually I don't understand what you mean by:

to make the tcp handshake for all ports I need this rule to works

Could you clarify what are you trying to accomplish ?

  • The idea of ​​the project is to make a passive network listener Clients (malware trying to scan network) are internet + our LAN, I do not know ip in advance. In user space I have a Python script that listens on port tcp 1234 AND nfqueue packet handler that log all packet information + data. I want to capture the packets coming from the client and especially the ACK / DATA packet. – vx3r Apr 26 '18 at 09:06
  • You can redirect packets only if your server is the destination or is the gateway of your clients. If you redirect to a socket with a python script you don't need nfqueue to log packet data, you already have socket informations. Additionally, you are not going to inspect at layer7, just replying with a default message and ignoring any handshake: use tcpdump instead! – Simone Zabberoni Apr 26 '18 at 16:55
  • Packets coming on my box so its ok for redirection. Python socket can not log SYN packet. Tcpdump its not a solution. Its not possible to do what i want with iptables (conntrack) ? – vx3r Apr 26 '18 at 17:22
  • If you want to capture full packet information, tcpdump is your answer. If you want to stick to your setup, use iptables to redirect all inbound connections (do not cut yourself out) to a nfqueue. Bind your script to the nfqueue and implement the default message in scapy. Obviously you will get only the first data packet from your clients and you will only get cleartext protocol payloads. You mentioned port 22: you'll get the first payload of the ID exchange... same goes for https and so on. Actually I still don't understand your "target": what do you expect from the first data packet? – Simone Zabberoni Apr 26 '18 at 17:41