【问题标题】:Netfilter kernel module to intercept packets and log themNetfilter 内核模块拦截数据包并记录它们
【发布时间】:2016-09-10 13:57:10
【问题描述】:

我有一个基本代码。此代码丢弃并记录所有传入和传出的数据包。 我想编写一个 netfilter 内核模块来拦截数据包并将它们记录在内核日志中。它应该能够检测到不同类型的基于 TCP 的侦察包(例如显示 1 或 2)。该模块应该检测这些数据包并记录到内核日志中。我不想过滤数据包,只是识别并记录它们。

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>

static struct nf_hook_ops nfho;         //struct holding set of hook function options

//function to be called by hook
unsigned int hook_func(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
  printk(KERN_INFO "packet dropped\n");                                             //log to var/log/messages
  return NF_DROP;                                                                   //drops the packet
}

//Called when module loaded using 'insmod'
int init_module()
{
  nfho.hook = hook_func;                       //function to call when conditions below met
  nfho.hooknum = NF_IP_PRE_ROUTING;            //called right after packet recieved, first hook in Netfilter
  nfho.pf = PF_INET;                           //IPV4 packets
  nfho.priority = NF_IP_PRI_FIRST;             //set to highest priority over all other hook functions
  nf_register_hook(&nfho);                     //register hook

  return 0;                                    //return 0 for success
}

//Called when module unloaded using 'rmmod'
void cleanup_module()
{
  nf_unregister_hook(&nfho);                     //cleanup – unregister hook
}

【问题讨论】:

    标签: c linux tcp linux-kernel netfilter


    【解决方案1】:

    首先,此模块仅丢弃传入的数据包。原因是以下行:nfho.hooknum = NF_IP_PRE_ROUTING;。 关于您的问题:我不明白什么是“基于侦察数据包”,但您可以从数据包中提取所有数据并在内核日志中显示它们。例如:

    #include <linux/kernel.h>
    #include <linux/module.h>
    #include <linux/netfilter.h>
    #include <linux/netfilter_ipv4.h>
    #include <linux/ip.h>
    #include <linux/tcp.h>
    
    static struct nf_hook_ops nfho;         //struct holding set of hook function options
    
    //function to be called by hook
    unsigned int hook_func(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
    {
      struct iphdr *ip_header = (struct iphdr *)skb_network_header(skb); //you can access to IP source and dest - ip_header->saddr, ip_header->daddr
      struct tcphdr *tcp_header;
      if (ip_header->protocol == 6) //TCP protocol
      {
        printk(KERN_INFO "TCP Packet\n");
        tcp_header = (struct tcphdr *)(skb_transport_header(skb)+20); //Note: +20 is only for incoming packets
        printk(KERN_INFO "Source Port: %u\n", tcp_header->source); //can access dest in the same way
      }
      return NF_ACCEPT;                                                                   //accept the packet
    }
    
    //Called when module loaded using 'insmod'
    int init_module()
    {
      nfho.hook = hook_func;                       //function to call when conditions below met
      nfho.hooknum = NF_INET_PRE_ROUTING;            //called right after packet recieved, first hook in Netfilter
      nfho.pf = PF_INET;                           //IPV4 packets
      nfho.priority = NF_IP_PRI_FIRST;             //set to highest priority over all other hook functions
      nf_register_hook(&nfho);                     //register hook
    
      return 0;                                    //return 0 for success
    }
    
    //Called when module unloaded using 'rmmod'
    void cleanup_module()
    {
      nf_unregister_hook(&nfho);                     //cleanup – unregister hook
    } 
    

    【讨论】:

    • @MukeshGupta N.B.:检查nf_register_hook() 的返回值 是有意义的,因为它可能导致在卸载时注销不存在的钩子(在dmesg)。还有一些更方便的功能,如ip_hdr()tcp_hdr
    【解决方案2】:

    您可以简单地运行ufw 防火墙实用程序,

    (无论如何你应该一直在运行)。

    开始:

    sudo ufw enable
    

    然后确保它正在运行:

    sudo ufw status
    

    然后开启日志功能:

    sudo ufw logging on
    

    然后:

    cd /var/log
    

    然后查看日志:

    sudo cat ufw.log
    

    这将给出所有输入/输出的日志。

    【讨论】:

    猜你喜欢
    • 2022-08-03
    • 1970-01-01
    • 2014-09-28
    • 2023-01-12
    • 2015-01-13
    • 2012-12-02
    • 2014-07-17
    • 2012-09-18
    • 1970-01-01
    相关资源
    最近更新 更多