Find the answer to your Linux question:
Results 1 to 7 of 7
Hi all, I'm trying to create packets with modified source and destination IP and ports. Well, I'm using a raw socket from <sys/socket.h> to do this. I create, everything is ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2010
    Posts
    6

    Kernel doesn't allow to change source IP


    Hi all,

    I'm trying to create packets with modified source and destination IP and ports. Well, I'm using a raw socket from <sys/socket.h> to do this. I create, everything is fine, but when I send the packet, I see with the wireshark that the source IP is not the spoofed one, but the real one.. It means that, before to send the packet, something in the kernel is doing this change. Someone know which part of the kernel is doing this and how can I deactivate this?
    Also, my distro: Debian Sid.

    Thanks in advance.
    Pedro Paganela

  2. #2
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    Can't tell what you're doing without a code sample. Anyway, a socket would from my understanding not allow you to change such things.

  3. #3
    Just Joined!
    Join Date
    Jul 2010
    Posts
    6
    Well, here the main part of the code:


    Code:
    unsigned int RedirectPacketSystem::sendUdpPacket() {
    	Packet *packet = InterfaceFeatures::getPacket();
    	char *newPacket = (char*)malloc(sizeof(char)*packet->getPktSize());
    	memcpy(newPacket, packet->getPkt(), packet->getPktSize());
    	struct iphdr *ipHeader = (struct iphdr*)newPacket;
    	struct udphdr *udpHeader = (struct udphdr*)(newPacket + packet->getIpv4Packet()->getIpHeaderSize());
    	ipHeader->daddr = inet_addr("200.200.200.200");
    	ipHeader->saddr = inet_addr("201.201.201.201");
    	udpHeader->dest = htons(200);
    	udpHeader->source = htons(201);
    	struct sockaddr_in sin;
    	sin.sin_family = AF_INET;
    	sin.sin_port = htons(200);
    	sin.sin_addr.s_addr = inet_addr("200.200.200.200");
    	ipHeader->check = 0x00; //calculated automatically by IP_HDRINCL option
    	udpHeader->check = 0x00; //doesn't care
    	int sd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
    	if(sd < 0) {
    		perror("Feature Redirection socket() error");
    		exit(-1);
    	}
    	const int on = 1;
    	if(setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
    		perror("Feature Redirection setsockopt() error");
    		exit(-1);
    	}
    	if(sendto(sd, newPacket, packet->getPktSize(), 0, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
    		perror("Feature Redirection sendto() error");
    		exit(-1);
    	}
    	close(sd);
    	free(newPacket);
    	return(NF_ACCEPT);
    }
    Also, the only one field inside IP header that the system changed after it was the IP source (and by consequence the IP checksum), all the other fields it accepted the spoofing (as IP destination, port source, etc). And I have to say, my solution is totally based in this tutorial:
    hxx p://ww w.enderunix .org/docs/ en/rawips poof/ (srr I'm not allowed to post URLs)

    Thanks in advance.
    Pedro Paganela

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    This explains why it is not working and how it can be done:

    Linux IP Networking: A Guide to the Implementation and Modification of the Linux Protocol Stack

    The short form is: the sockets won't allow you to do such things. Sockets are high level entry points that ease the networking for programmers. For snuffing, relaying and packet injection one has to implement things more closer to the hardware. Refer to the ISO/OSI layers for that information.
    Last edited by Kloschüssel; 07-16-2010 at 07:19 AM.

  6. #5
    Just Joined!
    Join Date
    Jul 2010
    Posts
    6
    Hi Kloschüssel,

    Thanks for the attention, but I really think that you are wrong, because, first of fall, I tried a similar code at a freeBSD and it worked, also sockets raw SHOULD give you the ability to change such fields (obviously you need to run the code as root). Today I will try in another distro (Fedora) and I will return the results. I'm pretty sure that is something with the Debian Sid, not with the Sockets raw.

    Regards
    Pedro

  7. #6
    Just Joined!
    Join Date
    Jul 2010
    Posts
    6
    Hi all,

    Well I tried the same code at a Fedora and it didn't work too. Maybe I'm forgetting something. As I didn't find any solution, except the solution used by NMAP, I will read how this tool does and I will post here.
    Also, I found a guy with the same problem "ht tp:/ /forum.codecall.net/c-c/22882-question-about-raw-sockets-ip-spoofing-c.h tml" (sorry I can't still post links).

    Regards
    Pedro Paganela

  8. #7
    Just Joined!
    Join Date
    Jul 2010
    Posts
    6
    Hi all,

    An university friend found the problem, I forgot to clean the iptables :-/, there were some MASQUERADE there.

    Thanks to all, in special the guy that found the solution,
    Pedro Paganela

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •