apernet/iptables-mod-randmap apernet/iptables-mod-randmap

  • Stars
    star
    125
  • Rank 277,912 (Top 6 %)
  • Language
    C++
  • License
    GNU General Publi...
  • Created almost 2 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
apernet/iptables-mod-randmap
github

apernet

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An iptables extension for stateless address / port randomization.

iptables-mod-randmap

Warning

This is still an experimental & in-development project. It is not fully tested and may cause kernel panic.

An iptables-extensions(8) that adds a RANDMAP target for stateless addresses / port randomization.

Just provide a prefix and/or a port range, and RANDMAP will randomly choose a new address and/or a new port number for every IP packet.

You can also set a /128 as prefix and a single port number as the port range to convert randomized IP headers back.

RANDMAP is stateless. It is not designed to traverse NAT or stateful firewall.

Build & Install

On Debian 11:

# Update to latest kernel
apt update && apt -y upgrade
reboot

# Install kernel header and other build tools
apt -y install linux-headers-$(uname -r) libxtables-dev git build-essential pkg-config

make install-all

The above command will install a kernel module at /lib/modules/$(uname -r)/extra/xt_RANDMAP.ko.zst as well as a xtables extensions at $(pkg-config xtables --variable xtlibdir)/libxt_RANDMAP.so

Usage

RANDMAP only works in the mangle table.

# iptables -j RANDMAP --help
...
RANDMAP target options:
  --src-pfx prefix/length
                                Prefix for random source address.

  --sport port:port
                                Port range for random source port.

  --dst-pfx prefix/length
                                Prefix for random destination address.

  --dport port:port
                                Port range for random destination port.

All options can be omitted to leave corresponding attributes unchanged in IP packets.

Example & Intended Use

For example, if you have the following 2 hosts act as server and client.

  • Server

    • Address: fc00:2070::2/128
    • Routed Prefix: fc00:3002::/64

  • Client

    • Address: fc00:2070::1/128

Set the following ip6tables rules on the server:

ip6tables -t mangle -A PREROUTING -d fc00:3002::/64 -j RANDMAP --dst-pfx fc00:2070::2/128 --dport 80:80
ip6tables -t mangle -A OUTPUT -s fc00:2070::2 -p tcp --sport 80 -j RANDMAP --src-pfx fc00:3002::/64 --sport 0:65535

And set the following ip6tables rules on the client:

ip6tables -t mangle -A OUTPUT -d fc00:2070::2 -p tcp --dport 80 -j RANDMAP --dst-pfx fc00:3002::/64 --dport 0:65535
ip6tables -t mangle -A PREROUTING -s fc00:3002::/64 -j RANDMAP --src-pfx fc00:2070::2/128 --sport 80:80

Assume a HTTP server is listening port 80 on the server.

If we visit the HTTP server on the client:

curl http://[fc00:2070::2]

The IP packets during this TCP connection would be like:

# tcpdump tcp -i qemu_arch2 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on qemu_arch2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:31:19.757741 IP6 fc00:2070::1.50982 > fc00:3002::9f19:5a19:ea3f:2f82.41346: Flags [S], seq 3607979275, win 64800, options [mss 1440,sackOK,TS val 1863243187 ecr 0,nop,wscale 7], length 0
12:31:19.757964 IP6 fc00:3002::3468:9d19:37c2:d11f.47263 > fc00:2070::1.50982: Flags [S.], seq 4179963945, ack 3607979276, win 64260, options [mss 1440,sackOK,TS val 2734266744 ecr 1863243187,nop,wscale 7], length 0
12:31:19.758057 IP6 fc00:2070::1.50982 > fc00:3002::998d:f5bb:49b6:d325.60902: Flags [.], ack 4179963946, win 507, options [nop,nop,TS val 1863243188 ecr 2734266744], length 0
12:31:19.758119 IP6 fc00:2070::1.50982 > fc00:3002::5050:8fa5:99d7:74d0.27672: Flags [P.], seq 3607979276:3607979354, ack 4179963946, win 507, options [nop,nop,TS val 1863243188 ecr 2734266744], length 78
12:31:19.758216 IP6 fc00:3002::32fb:55bc:239c:308c.22618 > fc00:2070::1.50982: Flags [.], ack 3607979354, win 502, options [nop,nop,TS val 2734266744 ecr 1863243188], length 0
12:31:19.758654 IP6 fc00:3002::8b5:40bf:a6f6:953a.dsmcc-config > fc00:2070::1.50982: Flags [.], seq 4179963946:4179965374, ack 3607979354, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758665 IP6 fc00:3002::8b5:40bf:a6f6:953a.dsmcc-config > fc00:2070::1.50982: Flags [.], seq 1428:2856, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758669 IP6 fc00:3002::8b5:40bf:a6f6:953a.dsmcc-config > fc00:2070::1.50982: Flags [P.], seq 2856:4096, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1240
12:31:19.758719 IP6 fc00:2070::1.50982 > fc00:3002::6043:5fe7:1996:290a.56399: Flags [.], ack 4179968042, win 489, options [nop,nop,TS val 1863243188 ecr 2734266745], length 0
12:31:19.758765 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [.], seq 4179968042:4179969470, ack 3607979354, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758772 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [.], seq 1428:2856, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758776 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [.], seq 2856:4284, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758780 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [.], seq 4284:5712, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758784 IP6 fc00:3002::1221:96fd:c5ce:25a6.22257 > fc00:2070::1.50982: Flags [P.], seq 5712:7140, ack 1, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1428
12:31:19.758799 IP6 fc00:3002::2a7a:3d0:da8f:ce8f.16022 > fc00:2070::1.50982: Flags [P.], seq 4179975182:4179976381, ack 3607979354, win 502, options [nop,nop,TS val 2734266745 ecr 1863243188], length 1199
12:31:19.758878 IP6 fc00:2070::1.50982 > fc00:3002::2f4f:9d48:d09d:5861.21844: Flags [.], ack 4179975182, win 474, options [nop,nop,TS val 1863243188 ecr 2734266745], length 0
12:31:19.758914 IP6 fc00:2070::1.50982 > fc00:3002::839f:461e:32c:52f6.65195: Flags [.], ack 4179976381, win 466, options [nop,nop,TS val 1863243188 ecr 2734266745], length 0
12:31:19.900520 IP6 fc00:2070::1.50982 > fc00:3002::3bdf:3c09:7638:9b43.47453: Flags [F.], seq 3607979354, ack 4179976381, win 501, options [nop,nop,TS val 1863243330 ecr 2734266745], length 0
12:31:19.900794 IP6 fc00:3002::c7b2:7ea6:4fb0:b528.dnx > fc00:2070::1.50982: Flags [F.], seq 4179976381, ack 3607979355, win 502, options [nop,nop,TS val 2734266887 ecr 1863243330], length 0
12:31:19.900891 IP6 fc00:2070::1.50982 > fc00:3002::3954:e728:1161:7d92.43101: Flags [.], ack 4179976382, win 501, options [nop,nop,TS val 1863243330 ecr 2734266887], length 0

What is its use?

Guess it.

More Repositories

1

hysteria

Hysteria is a powerful, lightning fast and censorship resistant proxy.
Go
13,219
star
2

OpenGFW

OpenGFW is a flexible, easy-to-use, open source implementation of GFW (Great Firewall of China) on Linux
Go
8,966
star
3

tcp-brutal

Shell
539
star
4

mwgp

Multiple WireGuard Proxy
Go
59
star
5

mpis

Multiprotocol IP Switching (MPIS)
C
13
star
6

hysteria-website

Python
9
star
7

apermon

apernet's sflow monitoring program
C
5
star
8

apernet-public-utils

Public apernet-utils repo.
Shell
4
star
9

hy_site

2
star
10

OpenGFW-website

2
star