LinuxQuestions.org - What options are available to me if i want to take full control of network activity on my NIC?

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - What options are available to me if i want to take full control of network activity on my NIC? (https://www.linuxquestions.org/questions/linux-security-4/what-options-are-available-to-me-if-i-want-to-take-full-control-of-network-activity-on-my-nic-4175728040/)

What options are available to me if i want to take full control of network activity on my NIC?

To explain in more detail, I am imagining a GUI (or system tray icon), that flashes every time, any time, a new application tries to make a network connection and it will prompt me to permit it this time or every time from there on.

Waaaay back in the day I remember having a firewall on Windows called Zone Alarm that did this and I have been craving that kind of simple awareness every since.

Does such a thing exist in linux land? Tips in the right direction greatly appreciated.

Thanks LQ!

Looks like OpenSnitch is really all that is available.

I'll give it a go. Thank you.

As I wrote, I do not consider OpenSnitch a viable option. I cannot trust it and I must be able to trust security software.

My 2 cents.

Interesting. I wanted to see that work. You'll need python bindings for that if you use python.

Code:

pacman -S libnetfilter_queue

I compiled a little bit of C for my test.

netfil.c

Code:

#include <errno.h>

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#include <time.h>

#include <arpa/inet.h>



#include <libmnl/libmnl.h>

#include <linux/netfilter.h>

#include <linux/netfilter/nfnetlink.h>



#include <linux/types.h>

#include <linux/netfilter/nfnetlink_queue.h>



#include <libnetfilter_queue/libnetfilter_queue.h>

#include <linux/netfilter/nfnetlink_conntrack.h>



static struct mnl_socket *nl;



static void

nfq_send_verdict(int queue_num, uint32_t id) {

        char buf[MNL_SOCKET_BUFFER_SIZE];

        struct nlmsghdr *nlh;

        struct nlattr *nest;



        nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);

        nfq_nlmsg_verdict_put(nlh, id, NF_ACCEPT);



        nest = mnl_attr_nest_start(nlh, NFQA_CT);



        mnl_attr_put_u32(nlh, CTA_MARK, htonl(42));



        mnl_attr_nest_end(nlh, nest);



        if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {

                perror("mnl_socket_send");

                exit(EXIT_FAILURE);

        }

}



static int queue_cb(const struct nlmsghdr *nlh, void *data) {

        struct nfqnl_msg_packet_hdr *ph = NULL;

        struct nlattr *attr[NFQA_MAX+1] = {};

        uint32_t id = 0, skbinfo;

        struct nfgenmsg *nfg;

        uint16_t plen;



        if (nfq_nlmsg_parse(nlh, attr) < 0) {

                perror("problems parsing");

                return MNL_CB_ERROR;

        }



        nfg = mnl_nlmsg_get_payload(nlh);



        if (attr[NFQA_PACKET_HDR] == NULL) {

                fputs("metaheader not set\n", stderr);

                return MNL_CB_ERROR;

        }



        ph = mnl_attr_get_payload(attr[NFQA_PACKET_HDR]);



        plen = mnl_attr_get_payload_len(attr[NFQA_PAYLOAD]);



        skbinfo = attr[NFQA_SKB_INFO] ? ntohl(mnl_attr_get_u32(attr[NFQA_SKB_INFO])) : 0;



        if (attr[NFQA_CAP_LEN]) {

                uint32_t orig_len = ntohl(mnl_attr_get_u32(attr[NFQA_CAP_LEN]));

                if (orig_len != plen)

                        printf("truncated ");

        }



        if (skbinfo & NFQA_SKB_GSO)

                printf("GSO ");



        id = ntohl(ph->packet_id);

        printf("packet received (id=%u hw=0x%04x hook=%u, payload len %u",

                id, ntohs(ph->hw_protocol), ph->hook, plen);



        if (attr[NFQA_HWADDR]) {

                struct nfqnl_msg_packet_hw *hw = mnl_attr_get_payload(attr[NFQA_HWADDR]);

                unsigned int hwlen = ntohs(hw->hw_addrlen);

                const unsigned char *addr = hw->hw_addr;

                unsigned int i;



                printf(", hwaddr %02x", addr[0]);

                for (i = 1; i < hwlen; i++) {

                        if (i >= sizeof(hw->hw_addr)) {

                                printf("[truncated]");

                                break;

                        }

                        printf(":%02x", (unsigned char)addr[i]);

                }



                printf(" len %u", hwlen);

        }



        if (skbinfo & NFQA_SKB_CSUMNOTREADY)

                printf(", checksum not ready");

        puts(")");



        nfq_send_verdict(ntohs(nfg->res_id), id);



        return MNL_CB_OK;

}



int main(int argc, char *argv[])

{

        char *buf;

        size_t sizeof_buf = 0xffff + (MNL_SOCKET_BUFFER_SIZE/2);

        struct nlmsghdr *nlh;

        int ret;

        unsigned int portid, queue_num;



        if (argc != 2) {

                printf("Usage: %s [queue_num]\n", argv[0]);

                exit(EXIT_FAILURE);

        }

        queue_num = atoi(argv[1]);



        nl = mnl_socket_open(NETLINK_NETFILTER);

        if (nl == NULL) {

                perror("mnl_socket_open");

                exit(EXIT_FAILURE);

        }



        if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {

                perror("mnl_socket_bind");

                exit(EXIT_FAILURE);

        }

        portid = mnl_socket_get_portid(nl);



        buf = malloc(sizeof_buf);

        if (!buf) {

                perror("allocate receive buffer");

                exit(EXIT_FAILURE);

        }



        nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);

        nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND);



        if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {

                perror("mnl_socket_send");

                exit(EXIT_FAILURE);

        }



        nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);

        nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);



        mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));

        mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));



        if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {

                perror("mnl_socket_send");

                exit(EXIT_FAILURE);

        }



        ret = 1;

        mnl_socket_setsockopt(nl, NETLINK_NO_ENOBUFS, &ret, sizeof(int));



        for (;;) {

                ret = mnl_socket_recvfrom(nl, buf, sizeof_buf);

                if (ret == -1) {

                        perror("mnl_socket_recvfrom");

                        exit(EXIT_FAILURE);

                }



                ret = mnl_cb_run(buf, ret, 0, portid, queue_cb, NULL);

                if (ret < 0){

                        perror("mnl_cb_run");

                        exit(EXIT_FAILURE);

                }

        }



        mnl_socket_close(nl);



        return 0;

}



//Compile

//gcc netfil.c -g3 -ggdb -Wall -lmnl -lnetfilter_queue -o nfil

I made an iptables rule to give it packets.(Use your own interface)

Code:

iptables -A INPUT -i enp2s0 -j NFQUEUE --queue-num 0

You can cancel that with.

Code:

iptables -D INPUT -i enp2s0 -j NFQUEUE --queue-num 0

And that I ran with

Code:

sudo ./nfil 0

Pinged google and was able to catch packets.

Quote:

Originally Posted by boughtonp (Post 6448530)

As I wrote, I do not consider OpenSnitch a viable option. I cannot trust it and I must be able to trust security software.

Please elaborate on why you don't trust it?

If I'm using security software I want developers who know what they're doing, can demonstrate understanding, transparency, and have a basic level of competence.

From looking at recent issues, commit history, and the source code, I found numerous problems with all of those.

I started explaining in more details but it was taking too long, and right now I need to focus my time on other things.

Quote:

Originally Posted by boughtonp (Post 6448669)

Understood.

Quote:

Originally Posted by teckk (Post 6448557)

My 2 cents.

Interesting. I wanted to see that work. You'll need python bindings for that if you use python.

Code:

pacman -S libnetfilter_queue

I compiled a little bit of C for my test.

netfil.c

Code:

#include <errno.h>

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#include <time.h>

#include <arpa/inet.h>



#include <libmnl/libmnl.h>

#include <linux/netfilter.h>

#include <linux/netfilter/nfnetlink.h>



#include <linux/types.h>

#include <linux/netfilter/nfnetlink_queue.h>



#include <libnetfilter_queue/libnetfilter_queue.h>

#include <linux/netfilter/nfnetlink_conntrack.h>



static struct mnl_socket *nl;



static void

nfq_send_verdict(int queue_num, uint32_t id) {

        char buf[MNL_SOCKET_BUFFER_SIZE];

        struct nlmsghdr *nlh;

        struct nlattr *nest;



        nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);

        nfq_nlmsg_verdict_put(nlh, id, NF_ACCEPT);



        nest = mnl_attr_nest_start(nlh, NFQA_CT);



        mnl_attr_put_u32(nlh, CTA_MARK, htonl(42));



        mnl_attr_nest_end(nlh, nest);



        if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {

                perror("mnl_socket_send");

                exit(EXIT_FAILURE);

        }

}



static int queue_cb(const struct nlmsghdr *nlh, void *data) {

        struct nfqnl_msg_packet_hdr *ph = NULL;

        struct nlattr *attr[NFQA_MAX+1] = {};

        uint32_t id = 0, skbinfo;

        struct nfgenmsg *nfg;

        uint16_t plen;



        if (nfq_nlmsg_parse(nlh, attr) < 0) {

                perror("problems parsing");

                return MNL_CB_ERROR;

        }



        nfg = mnl_nlmsg_get_payload(nlh);



        if (attr[NFQA_PACKET_HDR] == NULL) {

                fputs("metaheader not set\n", stderr);

                return MNL_CB_ERROR;

        }



        ph = mnl_attr_get_payload(attr[NFQA_PACKET_HDR]);



        plen = mnl_attr_get_payload_len(attr[NFQA_PAYLOAD]);



        skbinfo = attr[NFQA_SKB_INFO] ? ntohl(mnl_attr_get_u32(attr[NFQA_SKB_INFO])) : 0;



        if (attr[NFQA_CAP_LEN]) {

                uint32_t orig_len = ntohl(mnl_attr_get_u32(attr[NFQA_CAP_LEN]));

                if (orig_len != plen)

                        printf("truncated ");

        }



        if (skbinfo & NFQA_SKB_GSO)

                printf("GSO ");



        id = ntohl(ph->packet_id);

        printf("packet received (id=%u hw=0x%04x hook=%u, payload len %u",

                id, ntohs(ph->hw_protocol), ph->hook, plen);



        if (attr[NFQA_HWADDR]) {

                struct nfqnl_msg_packet_hw *hw = mnl_attr_get_payload(attr[NFQA_HWADDR]);

                unsigned int hwlen = ntohs(hw->hw_addrlen);

                const unsigned char *addr = hw->hw_addr;

                unsigned int i;



                printf(", hwaddr %02x", addr[0]);

                for (i = 1; i < hwlen; i++) {

                        if (i >= sizeof(hw->hw_addr)) {

                                printf("[truncated]");

                                break;

                        }

                        printf(":%02x", (unsigned char)addr[i]);

                }



                printf(" len %u", hwlen);

        }



        if (skbinfo & NFQA_SKB_CSUMNOTREADY)

                printf(", checksum not ready");

        puts(")");



        nfq_send_verdict(ntohs(nfg->res_id), id);



        return MNL_CB_OK;

}



int main(int argc, char *argv[])

{

        char *buf;

        size_t sizeof_buf = 0xffff + (MNL_SOCKET_BUFFER_SIZE/2);

        struct nlmsghdr *nlh;

        int ret;

        unsigned int portid, queue_num;



        if (argc != 2) {

                printf("Usage: %s [queue_num]\n", argv[0]);

                exit(EXIT_FAILURE);

        }

        queue_num = atoi(argv[1]);



        nl = mnl_socket_open(NETLINK_NETFILTER);

        if (nl == NULL) {

                perror("mnl_socket_open");

                exit(EXIT_FAILURE);

        }



        if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {

                perror("mnl_socket_bind");

                exit(EXIT_FAILURE);

        }

        portid = mnl_socket_get_portid(nl);



        buf = malloc(sizeof_buf);

        if (!buf) {

                perror("allocate receive buffer");

                exit(EXIT_FAILURE);

        }



        nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);

        nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND);



        if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {

                perror("mnl_socket_send");

                exit(EXIT_FAILURE);

        }



        nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);

        nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);



        mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));

        mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));



        if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {

                perror("mnl_socket_send");

                exit(EXIT_FAILURE);

        }



        ret = 1;

        mnl_socket_setsockopt(nl, NETLINK_NO_ENOBUFS, &ret, sizeof(int));



        for (;;) {

                ret = mnl_socket_recvfrom(nl, buf, sizeof_buf);

                if (ret == -1) {

                        perror("mnl_socket_recvfrom");

                        exit(EXIT_FAILURE);

                }



                ret = mnl_cb_run(buf, ret, 0, portid, queue_cb, NULL);

                if (ret < 0){

                        perror("mnl_cb_run");

                        exit(EXIT_FAILURE);

                }

        }



        mnl_socket_close(nl);



        return 0;

}



//Compile

//gcc netfil.c -g3 -ggdb -Wall -lmnl -lnetfilter_queue -o nfil

I made an iptables rule to give it packets.(Use your own interface)

Code:

iptables -A INPUT -i enp2s0 -j NFQUEUE --queue-num 0

You can cancel that with.

Code:

iptables -D INPUT -i enp2s0 -j NFQUEUE --queue-num 0

And that I ran with

Code:

sudo ./nfil 0

Pinged google and was able to catch packets.

That is well beyond me but very inspiring. I really need to learn more.