[CentOS] testing a udp socket with netcat
i've this udp daemon which is waiting for an incoming udp datagram. now i want test this daemon for random garbage to test how it behaves. My udp daemon is running because its shows on netstat. problem is if i issue following command for putting udp datagram : $nc -uvvz it does not output any thing. i have straced the udp daemon. which does not returns from recv() call. my goal is to put arbitrary data on the udp socket by netcat. i do not have any experience regarding netcat so i'm asking if anyone can help me out with this. thanks in advance. -- "You have a voice" The King's Speech Public Key : $ gpg --keyserver keyserver.ubuntu.com --recv-key C88CFC23 signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] testing a udp socket with netcat
On Wed, 2012-03-14 at 08:37 -0500, Les Mikesell wrote: > On Wed, Mar 14, 2012 at 8:25 AM, Arif Hossain wrote: > > i've this udp daemon which is waiting for an incoming udp datagram. now > > i want test this daemon for random garbage to test how it behaves. My > > udp daemon is running because its shows on netstat. problem is if i > > issue following command for putting udp datagram : > > $nc -uvvz > > > > it does not output any thing. i have straced the udp daemon. which does > > not returns from recv() call. > > > > my goal is to ppience regarding netcat so i'm asking if anyone can help me > > out with this. > > Do you have iptables running? The default config would probably > block your udp traffic. > here is my iptable-rules # Generated by iptables-save v1.4.7 on Wed Mar 14 19:58:13 2012 *mangle :PREROUTING ACCEPT [329554:95268521] :INPUT ACCEPT [88918:46924677] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [7296:1924138] :POSTROUTING ACCEPT [7296:1924138] COMMIT # Completed on Wed Mar 14 19:58:13 2012 # Generated by iptables-save v1.4.7 on Wed Mar 14 19:58:13 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [206514:24743648] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Mar 14 19:58:13 2012 -- "You have a voice" The King's Speech Public Key : $ gpg --keyserver keyserver.ubuntu.com --recv-key C88CFC23 signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] testing a udp socket with netcat
On Wed, 2012-03-14 at 14:11 +, Giles Coochey wrote: > --ms00020507030501060609 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: quoted-printable > > On 14/03/2012 13:59, Arif Hossain wrote: > > On Wed, 2012-03-14 at 08:37 -0500, Les Mikesell wrote: > >> On Wed, Mar 14, 2012 at 8:25 AM, Arif Hossain = > wrote: > >>> i've this udp daemon which is waiting for an incoming udp datagram. n= > ow > >>> i want test this daemon for random garbage to test how it behaves. My= > > >>> udp daemon is running because its shows on netstat. problem is if i > >>> issue following command for putting udp datagram : > >>> $nc -uvvz > >>> > >>> it does not output any thing. i have straced the udp daemon. which do= > es > >>> not returns from recv() call. > >>> > >>> my goal is to ppience regarding netcat so i'm asking if anyone can he= > lp me > >>> out with this. > >> Do you have iptables running? The default config would probably > >> block your udp traffic. > >> > > here is my iptable-rules > > > > # Generated by iptables-save v1.4.7 on Wed Mar 14 19:58:13 2012 > > *mangle > > :PREROUTING ACCEPT [329554:95268521] > > :INPUT ACCEPT [88918:46924677] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [7296:1924138] > > :POSTROUTING ACCEPT [7296:1924138] > > COMMIT > > # Completed on Wed Mar 14 19:58:13 2012 > > # Generated by iptables-save v1.4.7 on Wed Mar 14 19:58:13 2012 > > *filter > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [206514:24743648] > > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -p icmp -j ACCEPT > > -A INPUT -i lo -j ACCEPT > > -A INPUT -p tcp -m state --state NEW -m tcp --dport -j ACCEPT > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > > COMMIT > > # Completed on Wed Mar 14 19:58:13 2012 > > > And your INPUT chain rejects everything that is not matched by those=20 > lines above it. > > You'll need a: > > -A INPUT -p udp --dport -j ACCEPT in there before you go to REJECT= > =2E > > --=20 > Best Regards, for testing purpose i have flushed all rules in iptables -t filter $iptables -t filter --flush but still if try putting data by nc: $nc -uvv localhost 7160 outputs : write error: connection refused. > > Giles Coochey > NetSecSpec Ltd > UK Mobile: +44 7983 877 438 > Business Email: giles.cooc...@netsecspec.co.uk > Email/MSN/Live Messenger: gi...@coochey.net > Skype: gilescoochey > > > > --ms00020507030501060609-- > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] How to know if packet is dropped by kernel for udp checksum mismatch
Hi all, I have a netfilter_queue app which de-obfuscates a already obfuscated udp packets. de-obfuscation process ends successfully but somehow packet is not reaching to the udp daemon. i'm suspecting this is happening because of a udp checksum mismatch. so i'm wondering how can i get logs of packets which are dropped because of udp checksum mismatch? i've heard linux by default dropps a packet if it does not have correct checksum if checksum is present, this behavior can be modified by recompiling the kernel. using a custom kernel is not in our agenda. my platform : Linux 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] bridge connection and two linux servers
I need to set up following network architecture : Internet ^ +-+ | +--+ | Centos6-1 | | | Centos6-2 | | + eth0 + + | | | (br0)| || | | + eth1 ++ eth0 | +-++--+ ( cable connection ) Two public IP's are to be configured like follows : + **eth0** and **eth1** of **Centos6-1 are to be configured as a bridge with IP1 - **Centos6-1** can be accessed with IP1 - **eth0** of **Centos6-2** is configured with IP2 - any request destined to IP2 will flow through **Centos6-1** How can i accomplish this feat? There is a service running in the second server. This service will bind to IP2. what will happen If i do the following in box1: brctl addbr br0 ifdown eth0 ifdown eth1 ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up ifconfig br0 IP1 would it do what i want? Thanks in advance. -- -aft ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bridge connection and two linux servers
I think i've failed to describe what i'm trying to do. So i'm describing it again. The client will send request to the BOX2's IP. BOX1's IP used only for management purposes. All request destined to BOX'2 IP will go through BOX 1. BOX1's IP will not be available to clients. another thing is the service running in BOX2's is very sensitive to nat like stuffs. primary natting for client is managed externally. but no packet header modification(in case of iptables -t nat) is desirable. On Mon, Apr 16, 2012 at 9:16 PM, Ken godee wrote: > > > On 4/16/2012 8:04 AM, Arif Hossaiin wrote: > > I need to set up following network architecture : > > > > > > Internet > >^ > > +-+ | +--+ > > | Centos6-1 | | | Centos6-2 | > > | + eth0 + + | | > > | (br0)| || | > > | + eth1 ++ eth0 | > > +-++--+ > > ( cable connection ) > > > > > > Two public IP's are to be configured like follows : > > > > + **eth0** and **eth1** of **Centos6-1 are to be configured as a bridge > > with IP1 > > - **Centos6-1** can be accessed with IP1 > > - **eth0** of **Centos6-2** is configured with IP2 > > - any request destined to IP2 will flow through **Centos6-1** > > > > How can i accomplish this feat? > > Not sure if I'm understanding this > > You're trying to present a service running on box 2 to the internet > through box 1's public interface? (securely) > > If so I might have a look at this software > > http://www.delegate.org/delegate/ > > You'll be able to create a reverse proxy on box 1 to box 2 or > any services running on your internal network, etc. > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- -aft ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bridge connection and two linux servers
On Tue, Apr 17, 2012 at 6:54 PM, Benjamin Hackl wrote: > On Tue, 17 Apr 2012 16:07:36 +0600 > Arif Hossain wrote: > >> I think i've failed to describe what i'm trying to do. So i'm >> describing it again. >> >> The client will send request to the BOX2's IP. BOX1's IP used only for >> management purposes. > > You're looking for a bridging firewall, it probably should look like this: > > > ++ +-- internet line > | box1 | | > || | ++ > | eth2---bad-+ | box2 | > | |br| | || > | eth1--good---eth1 | > || || > | eth0--+--eth0 | > ||||| > ++|++ > | > lan > > eth0 is the (optional) internal management network > > you'll need the following configurations on box1: > > > In /etc/sysconfig/network-scripts/ifcfg-br0 > DEVICE=br0 > TYPE=Bridge > ONBOOT=yes > DELAY=0 > BOOTPROTO=none > > In /etc/sysconfig/network-scripts/ifcfg-eth1 > DEVICE=eth1 > HWADDR= > ONBOOT=yes > BRIDGE=br0 > > In /etc/sysconfig/network-scripts/ifcfg-eth2 > DEVICE=eth2 > HWADDR= > ONBOOT=yes > BRIDGE=br0 > > > Restart your networking: > service network restart > > Verify the bridge is set up: > brctl show > > You probably want to netfilter your br0 device, I recommend shorewall: > > Here is a short example. I'll put eth1 in zone good and eth2 in zone > bad. eth0 will be in zone loc. I will allow all outgoing traffic from > box2 to the internet and filter all incoming except for https and icmp > ping. This example requires shorewall > 4.0. This example is for ipv4 > only, ipv6 requires shorewall6. > > > In /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > > # Your isp > inetbr0 - bridge,proxyarp,routefilter > bad br0:eth2- physical=eth2 > goodbr0:eth1- physical=eth1 > > # local network > loc eth0detect routeback > > > In /etc/shorewall/zones > #ZONE TYPE > fw firewall > loc ipv4 > inetipv4 > bad:inetbport > good:inet bport > #END > > In /etc/shorewall/policy > #SOURCE DESTPOLICY LOG > > # allow local to firewall and vice versa > loc fw ACCEPT > fw loc ACCEPT > > # the next line allows all outgoing (from good to bad) traffic. > # you can also reject outgoing traffic and set single allow rules in > # the file /etc/shorewall/rules (see below) > goodbad ACCEPT > > # drop all other > bad all DROP info > all all DROP info > #END > > In /etc/shorewall/rules > #ACTION SOURCE DESTPROTO DEST > # e.g. allow ping and https only for public ip (1.2.3.4) > ACCEPT bad good:1.2.3.4tcp https > ACCEPT bad good:1.2.3.4icmp8 > #END > thanks for the reply. i will try your solution and post results ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A request from the CentOS Project
>> Dear Johnny, > > Your past history clearly shows this is a case of the pot calling the > kettle black. > > You have unceremoniously told numerous users to take a flying leap if they > didn't like it your way. > > Please reveal to the "Centos Community" who penned this piece for you to > post. > > Yours Truly, > > Ant. We should look forward not the other way around. An wrong deed does not justifies another wrong one. These things only reveal philosophical difference between us. -- -aft ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A request from the CentOS Project
On Thu, Apr 19, 2012 at 6:28 AM, Larry Martell wrote: > I think this classic from 1996 (author unknown) needs to be resurrected. > > Welcome to the Internet. > > No one here likes you. This is not 1996. Internet is more than a thousands times more accessible to people. Back then people who built their own kernels were the majority. Now little kids also uses linux. So thats not valid at these times at all. -- -aft ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] forwarding packets to service in same host without using loopback network
This question is not about linux usage. But still i think user list
is a good crowd for linux programmer. So here it goes.
I have this libnetfilter_queue application which receives packets from
kernel based on some iptables rule. Before going straight to my
problem, i'm giving a sample workable code and other tools to set up a
test environment so that We problem definition and possible solutions
can be more accurate and robust.
The following code describes the core functionality of the application:
#include
#include
#include
#include
#include
#include /* for NF_ACCEPT */
#include
#include
#define PREROUTING 0
#define POSTROUTING 4
#define OUTPUT 3
/* returns packet id */
static u_int32_t
print_pkt (struct nfq_data *tb)
{
int id = 0;
struct nfqnl_msg_packet_hdr *ph;
struct nfqnl_msg_packet_hw *hwph;
u_int32_t mark, ifi;
int ret;
unsigned char *data;
ph = nfq_get_msg_packet_hdr (tb);
if (ph)
{
id = ntohl (ph->packet_id);
printf ("hw_protocol=0x%04x hook=%u id=%u ",
ntohs (ph->hw_protocol), ph->hook, id);
}
hwph = nfq_get_packet_hw (tb);
if (hwph)
{
int i, hlen = ntohs (hwph->hw_addrlen);
printf ("hw_src_addr=");
for (i = 0; i < hlen - 1; i++)
printf ("%02x:", hwph->hw_addr[i]);
printf ("%02x ", hwph->hw_addr[hlen - 1]);
}
mark = nfq_get_nfmark (tb);
if (mark)
printf ("mark=%u ", mark);
ifi = nfq_get_indev (tb);
if (ifi)
printf ("indev=%u ", ifi);
ifi = nfq_get_outdev (tb);
if (ifi)
printf ("outdev=%u ", ifi);
ifi = nfq_get_physindev (tb);
if (ifi)
printf ("physindev=%u ", ifi);
ifi = nfq_get_physoutdev (tb);
if (ifi)
printf ("physoutdev=%u ", ifi);
ret = nfq_get_payload (tb, &data);
if (ret >= 0)
printf ("payload_len=%d ", ret);
fputc ('\n', stdout);
return id;
}
static int
cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data)
{
uint32_t ip_src, ip_dst;
struct in_addr s_ip;
struct in_addr d_ip;
uint16_t src_port;
uint16_t dst_port;
int verdict;
int id;
int ret;
unsigned char *buffer;
struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr (nfa);
if (ph)
{
id = ntohl (ph->packet_id);
printf ("received packet with id %d", id);
}
ret = nfq_get_payload (nfa, &buffer);
ip_src = *((uint32_t *) (buffer + 12));
ip_dst = *((uint32_t *) (buffer + 16));
src_port = *((uint16_t *) (buffer + 20));
dst_port = *((uint16_t *) (buffer + 22));
s_ip.s_addr = (uint32_t) ip_src;
d_ip.s_addr = (uint32_t) ip_dst;
*(buffer + 26) = 0x00;
*(buffer + 27) = 0x00;
printf ( "source IP %s", inet_ntoa (s_ip));
printf ( "destination IP %s", inet_ntoa (d_ip));
printf ( "source port %d", src_port);
printf ( "destination port %d", dst_port);
if (ret)
{
switch (ph->hook)
{
case PREROUTING:
printf ( "inbound packet");
//my_mangling_fun();
break;
case OUTPUT:
printf ( "outbound packet");
//my_mangling_fun();
break;
}
}
verdict = nfq_set_verdict (qh, id, NF_ACCEPT, ret, buffer);
if (verdict)
printf ( "verdict ok");
return verdict;
}
int
main (int argc, char **argv)
{
struct nfq_handle *h;
struct nfq_q_handle *qh;
struct nfnl_handle *nh;
int fd;
int rv;
char buf[4096] __attribute__ ((aligned));
printf ("opening library handle\n");
h = nfq_open ();
if (!h)
{
fprintf (stderr, "error during nfq_open()\n");
exit (1);
}
printf ("unbinding existing nf_queue handler for AF_INET (if any)\n");
if (nfq_unbind_pf (h, AF_INET) < 0)
{
fprintf (stderr, "error during nfq_unbind_pf()\n");
exit (1);
}
printf ("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
if (nfq_bind_pf (h, AF_INET) < 0)
{
fprintf (stderr, "error during nfq_bind_pf()\n");
exit (1);
}
printf ("binding this socket to queue '0'\n");
qh = nfq_create_queue (h, 0, &cb, NULL);
if (!qh)
{
fprintf (stderr, "error during nfq_create_queue()\n");
exit (1);
}
printf ("setting copy_packet mode\n");
if (nfq_set_mode (qh, NFQNL_COPY_PACKET, 0x) < 0)
{
fprintf (stderr, "can't set packet_copy mode\n");
exit (1);
}
fd = nfq_fd (h);
for (;;)
{
if ((rv = recv (fd, buf, sizeof (buf), 0)) >= 0)
Re: [CentOS] forwarding packets to service in same host without using loopback network
On Thu, Apr 26, 2012 at 1:18 AM, wrote:
> Are you a student?
I'm doing my graduate studies, so i'm a student :). But i'm studying
theoretical physics so that does
not count here :)
bottom line is i'm not a CS student. But i develop software :)
>
> I ask, because in both functions, the first thing I see is
>
>> if (ph)
>> {
>> id = ntohl (ph->packet_id);
>> printf ("hw_protocol=0x%04x hook=%u id=%u ",
>> ntohs (ph->hw_protocol), ph->hook, id);
>> }
>
> and you have *no* error handling if !ph. If this should never be true,
> then a) why is it in an if statement, and b) I will say, with 99.44%
> confidence, that it *will* be the case sometime, in a situation you
> haven't thought of.
>
> I'm at work, so I may get back to this after work.
>
> mark
I should have set up some error code, and do some aborting. but I'm
still at prototyping stage.
--
-aft
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] forwarding packets to service in same host without using loopback network
On Thu, Apr 26, 2012 at 1:32 AM, wrote: > Arif Hossain wrote: >> On Thu, Apr 26, 2012 at 1:18 AM, wrote: >> >>> Are you a student? >> >> I'm doing my graduate studies, so i'm a student :). But i'm studying >> theoretical physics so that does not count here :) > > >> >> bottom line is i'm not a CS student. But i develop software :) > >>> I'm at work, so I may get back to this after work. >> >> I should have set up some error code, and do some aborting. but I'm >> still at prototyping stage. > > You *really* should have that simple error handling. It will save you > grief (and more recompiling, this time with a bunch of printf()'s) as you > test... and it'll be in there from the start. > Thank you for the advice. I'll keep that in my mind. > mark "um, yeah, after years of programming, I taught myself C to get > a new job > in, er, 1989" > I first typed on a keyboard in 2000. Got my PC (With Windows Me and blue screen of death) in 2001. I first wrote a "int main" in 2007 in Turbo C Dos Gui(In my country that's what thrown at students in their Programming 101 course, no wonder i got a C+ and thought programming is the worst thing happened to mankind after superman), wrote a "typedef struct" in 2010. Most of the developer shop's in my country produce C# forms in Pirated VStudio. So if someone does some linux and c for fun they pick them like crazy. Its a good thing that i can use that money to support my education and my cute wife :). > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos -- -aft ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
