[QP] raw sockets & iptables

Posted: November 28, 2013 in general
Tags: , ,

Funny how sometimes you don’t realize stuff until you actually try to interact with it instead of just observing it. I’ve used tcpdump many times behind a normal iptables ruleset, I’ve also used ‘dhclient eth0’ a lot of times. None of those times though did I realize that dhclient uses raw sockets and that iptables is unable to block those connections. As far as I can tell and with some help from the #netfilter guys on freenode it seems you can’t block raw socket connections at the moment in an easy way. It’s not as bad as it sounds though since you either need root privileges or the CAP_NET_RAW capability to be able to use raw sockets.

If you want to see this for yourself do the following:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Now try to resolve something or connect to something:

DNS resolving
host http://www.google.com

;; connection timed out; no servers could be reached

TCP connect
nc -vv 80

nc: connect to port 80 (tcp) failed: Connection timed out

Now if you do this with raw sockets, using scapy for example:

DNS resolving
>>> a,u = sr(IP(dst=”″)/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname=”www.google.com”)))

Begin emission:
Finished to send 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
>>> print a.show()
0000 IP / UDP / DNS Qry “www.google.com” ==> IP / UDP / DNS Ans “”

TCP connect
>>> a,u = sr(IP(dst=”″)/TCP(sport=3445))
Begin emission:
Finished to send 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
>>> print a.show()
0000 IP / TCP > S ==> IP / TCP > SA / Padding

Like you can see the resolving works fine and the TCP connection attempt also works fine since we receive a SYN+ACK, this is all happing while we have our iptables policy on DROP. Fun stuff right?

In my opinion this doesn’t really have a lot of real world usage, even though some backdoors as referenced before in my post about connectionless backdoors use the raw socket sniffing method to activate themselves. It could come in handy though if you become root on a server with a strict firewall and you don’t want to alter the firewall, you could use raw sockets for sending and receiving to cut right through it.

If you are wondering QP stands for Quick Post.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s