NFQueue traffic manipulation

Transparently intercept network traffic using the iptables nfqueue target. By simple string matches, payloads can be rewritten and re-injected on-the-fly.

nfmod can transparently intercept and manipulate network traffic using the iptables NFQUEUE target. Payloads can be rewritten and re-injected on-the-fly by simple string matches, yielding various possibilities for transparent protocol patching.

Besides an extensible module framework for registering operations apart from string replacements, its technical features currently comprise tcp/ipv4 header parsing, basic tcp stream handling, seamless reconfigure via signals, and chroot’ing/capabilities. By relying on firewall rules for targeted traffic redirection, connections to be handled can be preselected at will.

Rewrite network traffic: Usage example

Assume you want to destroy all your HTTP requests to 1.2.3.4. You’ll be choosing queue number 0 and perform a string replace, s.t. your ruleset configuration file ruleset.conf will look like:

0<tab>str<tab>GET <tab>XXX <eol>

Please note the literal tabulator and newline positions as separator.

+------------+   GET / HTTP/1.1    +----------+             +---------+
| User-Agent | ------------------> | iptables |        +--->| 1.2.3.4 |
+------------+                     +---+------+        |    +---------+
                                       | NFQUEUE 0     | Accept:       
                                       |    +-------+  | XXX / HTTP/1.1
                                       +--->| nfmod |--+               
                                            +-------+                  

For queue 0, the str module will then be used that takes a search and a replacement string as argument. The usage in general is:

nfmod <chroot-dir> <username> <ruleset>

So in our example this could be sudo ./nfmod . nobody ruleset.conf. Afterwards, traffic redirection gets enabled with something like:

iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 80 -j NFQUEUE --queue-num 0

SIGINT (Ctrl-C) or SIGTERM will stop nfmod (you might want to remove the firewall rule first), SIGHUP will cause the ruleset to be re-read at any time.

Type make to build. Required linker flags and thus also library headers are -lnetfilter_queue (e.g. from the libnetfilter-queue-dev package or similar) and -lcap (optional).

Code & Download