Repository files navigation

Docker container with an example python script to listen for packets ona netfilter queue and manipulate them with scapy. You can listen on any queue number, and you can push packets into the queue from any iptables rule.This container gives you a powerful prototyping and debugging tool for monitoring, manipulating, dropping, accepting, requeing, or forwarding network packets in python.You can read from a queue on the host with--net=host --cap-add=NET_ADMIN.Or, you can run it within another container's namespace to listenfor packets on an nfqueue in that container's network namespace.

This container includes a full installation of scapy and python netfilter queue(nfqueue) bindings, and an example python scriptnfqueue_listener.py toprint incoming packets on the queue.

scapy:https://github.com/secdev/scapypython-netfilterqueue:https://github.com/kti/python-netfilterqueue

Clone this repository

git clone git@github.com:milesrichardson/docker-nfqueue-scapy.git

Build the docker container. This will take a while because it includes thefull scapy install and all its dependencies. You can use any tag you want, butas an example here I'm usingnfqueuelistener

cd docker-nfqueue-scapysudo docker build. -t nfqueuelistener

(Example)

Useiptables on the host to send TCP packets destined for port9001to nfqueue1:

sudo iptables -t raw \              -A PREROUTING \              -p tcp --destination-port 9001 \              -j NFQUEUE --queue-num 1

Run the docker container to listen for packets and print then accept anyreceived packets.

sudo docker run -it --rm \                --cap-add=NET_ADMIN \                --net=host \                --name=nfqueuelistener nfqueuelistener

From another machine, send some packets to test:

echo"Hello"| nc -v$HOST_IP_ADDRESS 9001

You should see something like this:

miles@box:~/testing$ sudo docker run -it --rm --cap-add=NET_ADMIN --net=host --name=nfqueuelistener nfqueuelistenerListening on NFQUEUE queue-num 1...<IP  version=4L ihl=5L tos=0x0 len=64 id=6387 flags=DF frag=0L ttl=55 proto=tcp chksum=0x6850 src=11.22.33.44 dst=44.55.66.77 options=[]|<TCP  sport=58164 dport=9001 seq=4038873318 ack=0 dataofs=11L reserved=0L flags=S window=65535 chksum=0x67be urgptr=0 options=[('MSS', 1452), ('NOP', None), ('WScale', 5), ('NOP', None), ('NOP', None), ('Timestamp', (2615879909, 0)), ('SAckOK',''), ('EOL', None)]|>>

The default queue number is1. You can override this by setting the environment variableQUEUE_NUM when running the container. For example, for queue2:

sudo docker run -it --rm \                -e'QUEUE_NUM=2' \                --cap-add=NET_ADMIN \                --net=host \                --name=nfqueuelistener nfqueuelistener

One way to edit thenfqueue_listener.py file is to simply edit it and then rebuildthe container withsudo docker build . -t nfqueuelistener. Since you are onlyediting the python file, building will not take as long as the first build.

You can find the documentation for the nfqueue library used athttps://github.com/kti/python-netfilterqueue

I have not tested this, but it should work.

Say you have another container$CONTAINER_ID and you want to intercept incomingpackets in its namespace. You can run this docker container like:

sudo docker run -it --rm \                --net=container:$CONTAINER_ID \                --name=nfqueuelistener nfqueuelistener

Note that you will need to run youriptables rules to send packets to the queuefrom within the$CONTAINER_ID container.

scapy is hardcoded version2.3.2 because there is a bug in2.3.3 causingscapy to fail on openstack deployments. The bug is actually upstream in openstack,and has been fixed, but this caused problems for me testing on packet.net wherethey have apparently not updated openstack yet.