Skip to content

llccd/netfilter-spooftcp

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

dkms-install.sh

dkms-install.sh

 
 

dkms-remove.sh

dkms-remove.sh

 
 

dkms.conf

dkms.conf

 
 

libxt_SPOOFTCP.c

libxt_SPOOFTCP.c

 
 

xt_SPOOFTCP.c

xt_SPOOFTCP.c

 
 

xt_SPOOFTCP.h

xt_SPOOFTCP.h

 
 

Repository files navigation

netfilter-spooftcp

A lightweight kernel module/iptables extension for sending spoofed TCP packets
This is a kernel-space, partial implementation of this paper

Build

Prerequisites:

  • kernel headers
  • xtables headers

Kernel Module

$ make
# insmod xt_SPOOFTCP.ko

iptables Extension

Copy libxt_SPOOFTCP.so to iptables library folder, say /lib/xtables.
Run iptables -j SPOOFTCP --help and see if it prints the help message of this module.

Usage

ip6tables -t mangle -A POSTROUTING -d 2001:db8::/64 -p tcp --dport 80 --syn -j SPOOFTCP --tcp-flags SYN,ACK

This will sent a spoofed SYN,ACK packet prior to the matched (original) SYN packet.
There are mechanisms to prevent the spoofed packets from being tracked by nf_conntrack or being matched by another SPOOFTCP rule.

Known issue

Incompatible with SNAT because the spoofed packets bypass nf_conntrack.

Use either one of the workarounds below:

  1. Use --snat IP/mask parameter. It re-implements MASQUERADE, SNAT and NETMAP statelessly, but it won't work in case of port changes or custom SNAT rules.
  2. Patch the kernel to add a chain in raw table. The chain is hooked after SNAT. Tested on kernel 4.14 and 4.19

About

A lightweight kernel module/iptables extension for sending spoofed TCP packets

Resources

Readme

License

GPL-2.0 license
Activity

Stars

51 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 95.5%
  • Makefile 3.4%
  • Shell 1.1%