Awesome
docker-nfqueue-scapy
Docker container with an example python script to listen for packets on
a netfilter queue and manipulate them with scapy. You can listen on any queue number, and you can push packets into the queue from any iptables rule.
This container gives you a powerful prototyping and debugging tool for monitoring, manipulating, dropping, accepting, requeing, or forwarding network packets in python.
You can read from a queue on the host with --net=host --cap-add=NET_ADMIN
.
Or, you can run it within another container's namespace to listen
for packets on an nfqueue in that container's network namespace.
This container includes a full installation of scapy and python netfilter queue
(nfqueue) bindings, and an example python script nfqueue_listener.py
to
print incoming packets on the queue.
scapy: https://github.com/secdev/scapy python-netfilterqueue: https://github.com/kti/python-netfilterqueue
How to use
Clone this repository
git clone git@github.com:milesrichardson/docker-nfqueue-scapy.git
Build the docker container. This will take a while because it includes the
full scapy install and all its dependencies. You can use any tag you want, but
as an example here I'm using nfqueuelistener
cd docker-nfqueue-scapy
sudo docker build . -t nfqueuelistener
(Example)
Use iptables
on the host to send TCP packets destined for port 9001
to nfqueue 1
:
sudo iptables -t raw \
-A PREROUTING \
-p tcp --destination-port 9001 \
-j NFQUEUE --queue-num 1
Run the docker container to listen for packets and print then accept any received packets.
sudo docker run -it --rm \
--cap-add=NET_ADMIN \
--net=host \
--name=nfqueuelistener nfqueuelistener
From another machine, send some packets to test:
echo "Hello" | nc -v $HOST_IP_ADDRESS 9001
You should see something like this:
miles@box:~/testing$ sudo docker run -it --rm --cap-add=NET_ADMIN --net=host --name=nfqueuelistener nfqueuelistener
Listening on NFQUEUE queue-num 1...
<IP version=4L ihl=5L tos=0x0 len=64 id=6387 flags=DF frag=0L ttl=55 proto=tcp chksum=0x6850 src=11.22.33.44 dst=44.55.66.77 options=[] |<TCP sport=58164 dport=9001 seq=4038873318 ack=0 dataofs=11L reserved=0L flags=S window=65535 chksum=0x67be urgptr=0 options=[('MSS', 1452), ('NOP', None), ('WScale', 5), ('NOP', None), ('NOP', None), ('Timestamp', (2615879909, 0)), ('SAckOK', ''), ('EOL', None)] |>>
Setting the queue number
The default queue number is 1
. You can override this by setting the environment variable
QUEUE_NUM
when running the container. For example, for queue 2
:
sudo docker run -it --rm \
-e 'QUEUE_NUM=2' \
--cap-add=NET_ADMIN \
--net=host \
--name=nfqueuelistener nfqueuelistener
Editing the nfqueue_listener.py
file
One way to edit the nfqueue_listener.py
file is to simply edit it and then rebuild
the container with sudo docker build . -t nfqueuelistener
. Since you are only
editing the python file, building will not take as long as the first build.
You can find the documentation for the nfqueue library used at https://github.com/kti/python-netfilterqueue
Listening in another container's namespace
I have not tested this, but it should work.
Say you have another container $CONTAINER_ID
and you want to intercept incoming
packets in its namespace. You can run this docker container like:
sudo docker run -it --rm \
--net=container:$CONTAINER_ID \
--name=nfqueuelistener nfqueuelistener
Note that you will need to run your iptables
rules to send packets to the queue
from within the $CONTAINER_ID
container.
Other notes
scapy is hardcoded version 2.3.2
because there is a bug in 2.3.3
causing
scapy to fail on openstack deployments. The bug is actually upstream in openstack,
and has been fixed, but this caused problems for me testing on packet.net where
they have apparently not updated openstack yet.