Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CSE-4400-Lab1/Netfilter.c

Go to file
 
 
Cannot retrieve contributors at this time
162 lines (129 sloc) 5.13 KB
Raw Blame
Open in GitHub Desktop
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/string.h>
/* Structure to register function */
static struct nf_hook_ops nfho[5]; // 5 because 5 total rules
/* Check if destination IP equals given IP */
int eq_daddr(const struct iphdr *iph, const char *ip_addr)
{
char source[16];
snprintf(source, 16, "%pI4", &iph->daddr);
if (!(strcmp(source, ip_addr))) return 1;
return 0;
}
/* Check if source IP equals given IP */
int eq_saddr(const struct iphdr *iph, const char *ip_addr)
{
char source[16];
snprintf(source, 16, "%pI4", &iph->saddr);
if (!(strcmp(source, ip_addr))) return 1;
return 0;
}
/* First hook function */
unsigned int telnetFilter1(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{ /* Prevent Machine A from telnet to Machine B*/
/* Inspect the packet contained in the structure pointed by skb, and decide whether
to accept or drop. Packet modification is acceptable */
struct iphdr *iph;
struct tcphdr *tcph;
iph = ip_hdr(skb);
tcph = (void *)iph + iph->ihl * 4;
if(iph->protocol == IPPROTO_TCP && tcph->dest == htons(23) && eq_daddr(iph,"10.0.2.4") && eq_saddr(iph, "10.0.2.5"))
{
printk(KERN_INFO "Drop telnet from %pI4 packet to %pI4\n", &iph->saddr, &iph->daddr);
return NF_DROP;
}
else{ return NF_ACCEPT; }
}
/* Second hook function */
unsigned int telnetFilter2(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{ /* Prevent Machine B from telnet to Machine A*/
/* Inspect the packet contained in the structure pointed by skb, and decide whether
to accept or drop. Packet modification is acceptable */
struct iphdr *iph;
struct tcphdr *tcph;
iph = ip_hdr(skb);
tcph = (void *)iph + iph->ihl * 4;
if(iph->protocol == IPPROTO_TCP && tcph->dest == htons(23) && eq_daddr(iph, "10.0.2.5") && eq_saddr(iph, "10.0.2.4"))
{
printk(KERN_INFO "Drop telnet from %pI4 packet to %pI4\n", &iph->saddr, &iph->daddr);
return NF_DROP;
}
else{ return NF_ACCEPT; }
}
/* Third hook function */
unsigned int telnetFilter3(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{ /* Prevent Machine A from visiting an external website*/
/* Inspect the packet contained in the structure pointed by skb, and decide whether
to accept or drop. Packet modification is acceptable */
struct iphdr *iph;
struct tcphdr *tcph;
iph = ip_hdr(skb);
tcph = (void *)iph + iph->ihl * 4;
/* www.cse.uconn.edu IP = 137.99.165.110 */
if((tcph->dest == htons(80) || tcph->dest == htons(443)) && eq_daddr(iph, "137.99.165.110") && eq_saddr(iph, "10.0.2.5"))
{
printk(KERN_INFO "Drop http/https from %pI4 packet to %pI4\n", &iph->saddr, &iph->daddr);
return NF_DROP;
}
else { return NF_ACCEPT; }
}
/* Fourth hook function */
unsigned int telnetFilter4(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{ /* Prevent Machine A from telnet to Ryan's PC */
/* Inspect the packet contained in the structure pointed by skb, and decide whether
to accept or drop. Packet modification is acceptable */
struct iphdr *iph;
struct tcphdr *tcph;
iph = ip_hdr(skb);
tcph = (void *)iph + iph->ihl * 4;
/* Ryan's PC IP = 192.168.56.1 */
if((tcph->dest == htons(80) || tcph->dest == htons(443)) && eq_daddr(iph, "192.168.56.1") && eq_saddr(iph, "10.0.2.5"))
{
printk(KERN_INFO "Drop http/https from %pI4 packet to %pI4\n", &iph->saddr, &iph->daddr);
return NF_DROP;
}
else { return NF_ACCEPT; }
}
/* Fifth hook function */
unsigned int telnetFilter5(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{ /* Prevent Ryan's PC from telnet to Machine A */
/* Inspect the packet contained in the structure pointed by skb, and decide whether
to accept or drop. Packet modification is acceptable */
struct iphdr *iph;
struct tcphdr *tcph;
iph = ip_hdr(skb);
tcph = (void *)iph + iph->ihl * 4;
/* Ryan's PC IP = 192.168.56.1 */
if((tcph->dest == htons(80) || tcph->dest == htons(443)) && eq_daddr(iph, "10.0.2.5") && eq_saddr(iph, "192.168.56.1"))
{
printk(KERN_INFO "Drop http/https from %pI4 packet to %pI4\n", &iph->saddr, &iph->daddr);
return NF_DROP;
}
else { return NF_ACCEPT; }
}
/* Initialization routine */
int setFilter(void)
{ /* Register hook structures */
int i;
nfho[0] = (struct nf_hook_ops){.hook=telnetFilter1, .hooknum=NF_INET_LOCAL_OUT, .pf=PF_INET, .priority=NF_IP_PRI_FIRST};
nfho[1] = (struct nf_hook_ops){.hook=telnetFilter2, .hooknum=NF_INET_LOCAL_IN, .pf=PF_INET, .priority=NF_IP_PRI_FIRST};
nfho[2] = (struct nf_hook_ops){.hook=telnetFilter3, .hooknum=NF_INET_LOCAL_OUT, .pf=PF_INET, .priority=NF_IP_PRI_FIRST};
nfho[3] = (struct nf_hook_ops){.hook=telnetFilter4, .hooknum=NF_INET_LOCAL_OUT, .pf=PF_INET, .priority=NF_IP_PRI_FIRST};
nfho[4] = (struct nf_hook_ops){.hook=telnetFilter5, .hooknum=NF_INET_LOCAL_IN, .pf=PF_INET, .priority=NF_IP_PRI_FIRST};
for(i = 0; i < 5; i++) nf_register_hook(&nfho[i]);
return 0;
}
/* Cleanup routine */
void remFilter(void)
{ /* Unregister hook structures */
int i;
for(i = 0; i < 5; i++) nf_unregister_hook(&nfho[i]);
}
module_init(setFilter);
module_exit(remFilter);
MODULE_LICENSE("GPL");