Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/apernet/iptables-mod-randmap

An iptables extension for stateless address / port randomization.
https://github.com/apernet/iptables-mod-randmap

iptables-extension networking

Last synced: about 1 month ago
JSON representation

An iptables extension for stateless address / port randomization.

Awesome Lists containing this project

README

        

iptables-mod-randmap
===================

> **Warning**
>
> This is still an experimental & in-development project.
> It is not fully tested and may cause kernel panic.

An `iptables-extensions(8)` that adds a `RANDMAP` target for stateless
addresses / port randomization.

Just provide a prefix and/or a port range, and RANDMAP will randomly choose a new
address and/or a new port number for every IP packet.

You can also set a /128 as prefix and a single port number as the port range to convert randomized IP headers back.

RANDMAP is stateless. It is not designed to traverse NAT or stateful firewall.

## Build & Install

On Debian 11:
```
# Update to latest kernel
apt update && apt -y upgrade
reboot

# Install kernel header and other build tools
apt -y install linux-headers-$(uname -r) libxtables-dev git build-essential pkg-config
```

```
make install-all
```

The above command will install a kernel module at
`/lib/modules/$(uname -r)/extra/xt_RANDMAP.ko.zst`
as well as a xtables extensions at
`$(pkg-config xtables --variable xtlibdir)/libxt_RANDMAP.so`

## Usage

RANDMAP only works in the `mangle` table.

```
# iptables -j RANDMAP --help
...
RANDMAP target options:
--src-pfx prefix/length
Prefix for random source address.

--sport port:port
Port range for random source port.

--dst-pfx prefix/length
Prefix for random destination address.

--dport port:port
Port range for random destination port.

```

All options can be omitted to leave corresponding attributes unchanged in
IP packets.

## Example & Intended Use

For example, if you have the following 2 hosts act as server and client.

+ Server
+ Address: fc00:2070::2/128
+ Routed Prefix: fc00:3002::/64

+ Client
+ Address: fc00:2070::1/128

Set the following ip6tables rules on the server:

```
ip6tables -t mangle -A PREROUTING -d fc00:3002::/64 -j RANDMAP --dst-pfx fc00:2070::2/128 --dport 80:80
ip6tables -t mangle -A OUTPUT -s fc00:2070::2 -p tcp --sport 80 -j RANDMAP --src-pfx fc00:3002::/64 --sport 0:65535
```

And set the following ip6tables rules on the client:

```
ip6tables -t mangle -A OUTPUT -d fc00:2070::2 -p tcp --dport 80 -j RANDMAP --dst-pfx fc00:3002::/64 --dport 0:65535
ip6tables -t mangle -A PREROUTING -s fc00:3002::/64 -j RANDMAP --src-pfx fc00:2070::2/128 --sport 80:80
```

Assume a HTTP server is listening port 80 on the server.

If we visit the HTTP server on the client:

```
curl http://[fc00:2070::2]
```

The IP packets during this TCP connection would be like:

```
# tcpdump tcp -i qemu_arch2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on qemu_arch2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:31:19.757741 IP6 fc00:2070::1.50982 > fc00:3002::9f19:5a19:ea3f:2f82.41346: Flags [S], seq 3607979275, win 64800, options [mss 1440,sackOK,TS val 1863243187 ecr 0,nop,wscale 7], length 0
12:31:19.757964 IP6 fc00:3002::3468:9d19:37c2:d11f.47263 > fc00:2070::1.50982: Flags [S.], seq 4179963945, ack 3607979276, win 64260, options [mss 1440,sackOK,TS val 2734266744 ecr 1863243187,nop,wscale 7], length 0
12:31:19.758057 IP6 fc00:2070::1.50982 > fc00:3002::998d:f5bb:49b6:d325.60902: Flags [.], ack 4179963946, win 507, options [nop,nop,TS val 1863243188 ecr 2734266744], length 0
12:31:19.758119 IP6 fc00:2070::1.50982 > fc00:3002::5050:8fa5:99d7:74d0.27672: Flags [P.], seq 3607979276:3607979354, ack 4179963946, win 507, options [nop,nop,TS val 1863243188 ecr 2734266744], length 78
12:31:19.758216 IP6 fc00:3002::32fb:55bc:239c:308c.22618 > fc00:2070::1.50982: Flags [.], ack 3607979354, win 502, options [nop,nop,TS val 2734266744 ecr 1863243188], length 0
12:31:19.758654 IP6 fc00:3002::8b5:40bf:a6f6:953a.dsmcc-config > fc00:2070::1.50982: Flags [.], seq 4179963946:4179965374, ack 3607979354, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758665 IP6 fc00:3002::8b5:40bf:a6f6:953a.dsmcc-config > fc00:2070::1.50982: Flags [.], seq 1428:2856, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758669 IP6 fc00:3002::8b5:40bf:a6f6:953a.dsmcc-config > fc00:2070::1.50982: Flags [P.], seq 2856:4096, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1240
12:31:19.758719 IP6 fc00:2070::1.50982 > fc00:3002::6043:5fe7:1996:290a.56399: Flags [.], ack 4179968042, win 489, options [nop,nop,TS val 1863243188 ecr 2734266745], length 0
12:31:19.758765 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [.], seq 4179968042:4179969470, ack 3607979354, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758772 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [.], seq 1428:2856, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758776 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [.], seq 2856:4284, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758780 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [.], seq 4284:5712, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758784 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [P.], seq 5712:7140, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758799 IP6 fc00:3002::2a7a:3d0:da8f:ce8f.16022 > fc00:2070::1.50982: Flags [P.], seq 4179975182:4179976381, ack 3607979354, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1199
12:31:19.758878 IP6 fc00:2070::1.50982 > fc00:3002::2f4f:9d48:d09d:5861.21844: Flags [.], ack 4179975182, win 474, options [nop,nop,TS val 1863243188 ecr 2734266745], length 0
12:31:19.758914 IP6 fc00:2070::1.50982 > fc00:3002::839f:461e:32c:52f6.65195: Flags [.], ack 4179976381, win 466, options [nop,nop,TS val 1863243188 ecr 2734266745], length 0
12:31:19.900520 IP6 fc00:2070::1.50982 > fc00:3002::3bdf:3c09:7638:9b43.47453: Flags [F.], seq 3607979354, ack 4179976381, win 501, options [nop,nop,TS val 1863243330 ecr 2734266745], length 0
12:31:19.900794 IP6 fc00:3002::c7b2:7ea6:4fb0:b528.dnx > fc00:2070::1.50982: Flags [F.], seq 4179976381, ack 3607979355, win 502, options [nop,nop,TS val 2734266887 ecr 1863243330], length 0
12:31:19.900891 IP6 fc00:2070::1.50982 > fc00:3002::3954:e728:1161:7d92.43101: Flags [.], ack 4179976382, win 501, options [nop,nop,TS val 1863243330 ecr 2734266887], length 0
```

## What is its use?

Guess it.