Re: Filter or change tcp packets

Hello,

Nowitzki Rados a écrit :
Hello, I need to filter packets that are comming from certain server (IP
address/port number). Server sends packets to my client program, but some of
those packets cause client to crash (those packets are generated by other
server users because of hole in chat program). So I tried to configure iptables to search data section of tcp packets comming from that IP address
and if it finds "unwanted pattern that crash client", it should drop
packets. I managed to do that, but it seems like it was bad solution.

As Rick said, a better solution would be to patch/fix/update the client or stop using that service.

Problem is that when packet from server is dropped by iptables, my client
application stop working properly (I think it stops comunication with server
because of packet loss, but I am not sure). I read that when iptables drop
packet it does not notify sender about it.

The REJECT target can notify the sender with various ICMP error types or a TCP reset. TCP reset would close the connexion, not sure about ICMP error types.

Does that means that sender
continue to send same packet over and over again? (and because there is no
response from client side they stop to communicate).

Yes, TCP segments need to be acknowledged by the receiver.

If that is true is there any way to drop packet and to tell server to send
next one? Altough I can see another problem there because if that happens
client side would have wrong sequence number for next packet? Anyone have
idea how could I solve this problem?
I also thought about changing tcp packet data. Is there any way to do
something like this:
-when packet arives, program (or iptables) search pattern in its data
-if pattern is found, program (or iptables, but i doubt it has that feature)
change data in tcp packet, so that "unwanted pattern that cause buffer
overflow" is removed from it.
-changed packet is forwarded to client like nothing happened

I guess this could be done with the QUEUE target in iptables, which queues packets to userland. I cannot tell more about this. However there is no guaranty that the whole pattern is contained in a single segment, it could be split across two segments.

A better solution would be to use a proxy which would do the filtering (matching and mangling) in the data stream at application level rather than with iptables.
.

Relevant Pages

  • [REVS] Backdoor Spotcom Analysis
    ... Spotcom is a backdoor client application that allows a hacker to control ... The server IP address is hard-coded in ... msrsvp.exe accepts a couple of command line arguments. ... the packet payload. ...
    (Securiteam)
  • Re: Socket weirdness
    ... client) before you will notice a shutdown receive at server. ... Then eventually a packet comes from the peer, and that will contain data, so the server responds RST: ... way back across the network. ...
    (microsoft.public.dotnet.framework)
  • Re: Is there any MVP in this group,who can solve my problem or have any suggestions.
    ... miPrevious would be the previous packet number in the sequence ... My next question is that,how can we transmit real time data without using ... which can give me wise solution rather that using winsock server and client ... > to client,without any delay and single formatd value only. ...
    (microsoft.public.vb.general.discussion)
  • Re: OutOfMemoryException from Thread.Start
    ... > stream of bytes (packet) first and then sends it by calling the Socket ... > - On receiving, bytes are received asynchronously by calling the Socket ... > the client connects, the server accepts it and waits. ...
    (microsoft.public.windowsce.app.development)
  • Re: transparent proxies / iptables: Mini How To by Daniel Kiracofe
    ... > instead of directly to the client. ... > sends its packet to its default-gateway. ... > When the packet leaves the FORWARD chain and enters the POSTROUTING ... iptables box to the client and not directly to the client. ...
    (comp.os.linux.networking)