Hi, I am trying to spoof a TCP connection, I do a telnet from machine A to machine B and then catch a packet in between and thn try and send a reset to machine A, by generating the TCP packet myself, the packet going out from machine A are caught on machine A itself. To make this work I need to call netif_rx with an skb I allocate, but when I do this, the TCP socket on machine A does not get the packet, I suspect it is being dropped by netif_rx(), what all does one have to make sure to be sure that netif_rx() hands the packet to ip and packet is not dropped (besides checksum and all). I looked at netif_rx, I have to set the incoming interface device here. So what I do is, I copy the incoming interface device structure of the first packet I catch in the pre rotuing hook and and give that as the incoming device in the skbuff containing the RST, is that ok ? or what kind of hack do I need. If someone has tried this earlier, would appreciate if u give me some pointers. thanks Amit Ranjeet Shetye <ranjeet.shetye2@xxxxxxxxxx>@lists.netfilter.org on 06/22/2004 02:04:36 AM Sent by: netfilter-admin@xxxxxxxxxxxxxxxxxxx To: netfilter@xxxxxxxxxxxxxxxxxxx cc: Subject: Re: incoming interface confusion question * Cedric Blancher (blancher@xxxxxxxxxxxxxxxxxx) wrote: > Le lun 21/06/2004 à 19:45, Shaun T. Erickson a écrit : > > Are there any cases where iptables can be confused about what interface > > a packet came in on? Can a packet arriving on interface A ever be > > reported as arriving on interface B? > > I'm not aware of such a case. Would be quite surprising. > > > I had an incident this weekend, and am trying to be certain that the > > packets came in the interface my system said it did. It's a Red Hat 9 > > system, running their stock 2.4.20-8 kernel. > > Do you have any reason to think your system was wrong ? > In order of likelihood, (highest to lowest): 1) http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html Check your /proc/sys/net/ipv4/conf/$INTF/rp_filter setting. If it is not set, someone might have tried to attack your network from the public side, using private src ips. e.g. this can be used for an attack to make javaVM think that the packets are coming from the host itself or a trusted server. 2) If it is set, then a VPN might still allow such packets into your network, past a firewall. 3) If neither, then it might be an issue with the code in Linux. HTH -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys.
