0

I am trying to demonstrate TCP communication with a Ubuntu 18.04 box (which mocks a QNX setup) that does not have a listener installed. Consider that due to some license issues it might not be possible to load and run a listener program any time soon either. Is it possible to use iptables to accept connection from a client, receive incoming packets and send them back to the client?

If yes, what are the commands? I want to use netcat to demonstrate sending and receiving of messages.

I have tried following command from this link.

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.conf.ens4.route_localnet=1
sudo iptables -A FORWARD -i ens4 -o ens4 -m state --state RELATED,ESTABLISHED -j ACCEPT

I have also tried below commands from another StackOverflow question.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <IP>:80
sudo iptables -t nat -I OUTPUT -p tcp --dport 80 -j DNAT --to-destination <IP>:80

But netcat exits immediately. Not sure whether it even attempted connection.

netcat <IP> 80

Other ideas than iptables are also welcome.

Improve this question
6
  • 1
    well, if you send an actual TCP segment you have received back exactly as is, it will not be accepted as part of the connection due to the syn values not matching up. the data would need to be repackaged into a new segment that is valid for the connection.
    – Frank Thomas
    Commented May 9, 2023 at 16:32
  • you can install a listener
    – Stack Exchange Supports Israel
    Commented May 9, 2023 at 16:48
  • @user253751 I don't have access to do so, that is the challenge
    – kingvittu
    Commented May 9, 2023 at 16:56
  • @FrankThomas is that possible with iptables? If so can you please add the steps as an answer
    – kingvittu
    Commented May 9, 2023 at 16:57
  • @kingvittu is this like a hacking challenge where the goal is to make something happen with only limited access? or why can't you do it?
    – Stack Exchange Supports Israel
    Commented May 10, 2023 at 5:37

1 Answer 1

Reset to default
0

For simple demos, it might be easier to also forward traffic using ncat, like in the answer here. Basically just use ncat as your listener, then launch another ncat to resend any data back to your client. (Make sure your client is also listening for this data on whatever port you choose)

ncat -l 10.0.0.1 80 --sh-exec "ncat 10.0.0.2 80"

This is good enough to see your own sent traffic, but only works in one direction. If you need to see something with back-and-forth like web traffic, then you probably want something more advanced like the iptables routing you tried.

The dnat in your rules stands for destination network address translation, and they only remap the destination IP for packets. Since your planned source and destination are the same IP, you also need to set up snat rules to remap the source IP address:

iptables -t nat -A PREROUTING  -p tcp --dst $HOST_IP   --dport 8000 -j DNAT --to-destination $CLIENT_IP
iptables -t nat -A POSTROUTING -p tcp --dst $CLIENT_IP --dport 8000 -j SNAT --to-source $HOST_IP

I found a couple good writeups on this:

Example test case on client:

# listen on port 8000 in background
nc -l 8000 > nc.out &
# verify netcat is listening on client
netstat -ln | grep 8000

# send some data to server via netcat, and you should see job finish if server forwarded successfully
echo hello world | nc 10.0.0.1 8000
[1]+  Done                    nc -l 8000 > nc.out

# and you should see your data captured
cat nc.out
hello world

depending on your distro, you might not be able to listen on protected ports like 80 (selinux may block for example). Make sure you've enabled ip forwarding, as it's usually off by default:

# check current status
sysctl net.ipv4.ip_forward
Improve this answer
6
  • Actually the actual machine would be a QNX machine. I have updated the question. So netcat or any other regular methods is not possible as of now. We don't have license to compile any program yet and also Python is not available which limits us to put any listener. The firewall commands I will try and let you know soon.
    – kingvittu
    Commented May 9, 2023 at 17:11
  • The iptables command you gave didn't work for me
    – kingvittu
    Commented May 9, 2023 at 18:15
  • @kingvittu what did you try that didn't work? I've added an example to test out
    – Cpt.Whale
    Commented May 9, 2023 at 21:01
  • In the above example, does the server run also on the client machine, and the host machine is made as via path? If so, how do I check if the packets were indeed received in the host?
    – kingvittu
    Commented May 11, 2023 at 12:50
  • @kingvittu all of the netcat stuff is run on the client. Only the iptables and ip_forward commands would be done on the host/server. If you want to see whether the server is receiving packets, you can use iptables -vL to list the stats on each rule (to see if the redirect rules are getting used). Otherwise it's probably a job for tcpdump
    – Cpt.Whale
    Commented May 11, 2023 at 15:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .