Нужен знаток IPTABLES, NETFILTER - NFQUEUE, PYTHON

Веб-программированиеЗакрытнет заявок284 просмотра
Найдите исполнителя для вашего проекта прямо сейчас!
Разместите заказ на фриланс-бирже и предложения поступят уже через несколько минут.

Задача:

Модифицировать исходящие пакеты через NFQUEUE.

Доработать скрипт и настроить IPTABLES:

import logging

l=logging.getLogger("scapy.runtime")l.setLevel(49)import os,sys,nfqueue,re,socketfrom scapy.all import *conf.verbose = 0conf.L3socket = L3RawSocket#Win7 synchars = dict();chars["ip_frag"] = 0L;chars["ip_ttl"] = 128;chars["tcp_window"] = 8192;chars["tcp_options"] =  [('MSS', 1460), ('NOP', None), ('WScale', 2), ('NOP', None), ('NOP', None), ('SAckOK', '')]#################################################### MODIFING FIREWALL###########################store orginal firewallproc_str = "iptables-save"proc = subprocess.Popen(proc_str, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE)iptables_save = ''for line in proc.stdout: iptables_save += line#create modified firewall to allow packet capture of out going packets only# FYI, by altering the outgoing packets info, the response packets will# not completely "pair up" to the the ones iptables tried to send out,# ipso facto we have to break connection tracking to change our fingerprintiptables_save_nfqueue = re.sub(r"OUTPUT(.*)-j ACCEPT", "OUTPUT\g[0] != chars["tcp_options"][0]: options_are_the_same = False break   if pkt[TCP].options[1] != chars["tcp_options"][1]: options_are_the_same = False break if options_are_the_same: payload.set_verdict(nfqueue.NF_ACCEPT) pass else: payload.set_verdict(nfqueue.NF_DROP) newpkt = Ether()/IP()/TCP() newpkt[IP].version = pkt[IP].version newpkt[IP].ihl = pkt[IP].ihl newpkt[IP].tos = pkt[IP].tos #newpkt[IP].len = pkt[IP].len newpkt[IP].id = pkt[IP].id newpkt[IP].flags = pkt[IP].flags newpkt[IP].frag = chars["ip_frag"] newpkt[IP].ttl = chars["ip_ttl"] newpkt[IP].proto = pkt[IP].proto newpkt[IP].src = pkt[IP].src newpkt[IP].dst = pkt[IP].dst newpkt[IP].options = pkt[IP].options newpkt[TCP].sport = pkt[TCP].sport newpkt[TCP].dport = pkt[TCP].dport newpkt[TCP].seq = pkt[TCP].seq newpkt[TCP].ack = pkt[TCP].ack #newpkt[TCP].dataofs = pkt[TCP].dataofs newpkt[TCP].reserved = pkt[TCP].reserved newpkt[TCP].flags = pkt[TCP].flags newpkt[TCP].window = chars["tcp_window"] newpkt[TCP].urgptr = pkt[TCP].urgptr newpkt[TCP].options = chars["tcp_options"] send_rawsock(newpkt) pass   else: #print "TCP NONSYN PACKET" payload.set_verdict(nfqueue.NF_ACCEPT) pass # Check if it is an UDP packet elif proto is 0x11:   #print "UDP PACKET"   payload.set_verdict(nfqueue.NF_ACCEPT)   pass # packet is other else:   #print "OTHER PACKET"   payload.set_verdict(nfqueue.NF_ACCEPT)   passdef main(s): global iptables_save q = nfqueue.queue() q.open() q.set_callback(process) q.fast_open(0, socket.AF_INET) try:   q.try_run() except KeyboardInterrupt:   print "Exiting..."   q.unbind(socket.AF_INET)   q.close()   s.close()   #restore orginal firewall   proc_str = "tempfile"   proc = subprocess.Popen(proc_str, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE)   tempfile_name = ''   for line in proc.stdout: tempfile_name += line   tempfile_name = tempfile_name[:-1]   outputFile = open(tempfile_name, "w")   outputFile.write(iptables_save)   outputFile.close()   os.system('iptables-restore '+tempfile_name)   os.remove(tempfile_name)try: main(s)except:   print "Error: caught main(s) exception"   #restore orginal firewall   proc_str = "tempfile"   proc = subprocess.Popen(proc_str, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE)   tempfile_name = ''   for line in proc.stdout: tempfile_name += line   tempfile_name = tempfile_name[:-1]   outputFile = open(tempfile_name, "w")   outputFile.write(iptables_save)   outputFile.close()   os.system('iptables-restore '+tempfile_name)   os.remove(tempfile_name)

Python
7 лет назад
flyrider
Дмитрий 
36 летРоссия
7 лет в сервисе
Был
5 лет назад