Last active
March 14, 2016 03:56
-
-
Save luftreich/47c97804a37d4be2d1c1 to your computer and use it in GitHub Desktop.
iptables/netfilter命令、实现及利用 (http://blog.csdn.net/sealyao/article/details/5934268)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| obj-m = nethook.o | |
| KVERSION = $(shell uname -r) | |
| all: | |
| make -C /lib/modules/$(KVERSION)/build M=$(PWD) modules | |
| clean: | |
| make -C /lib/modules/$(KVERSION)/build M=$(PWD) clean |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Change it here or specify it on the "make" commandline | |
| #for 2.6 | |
| ARCH = arm | |
| # 指定编译器 | |
| CROSS_COMPILE = /work/arm-gcc/arm-2009q1/bin/arm-none-linux-gnueabi- | |
| # 内核头文件路径 | |
| KDIR = /work/Linux_headers_2.6.37_ShenZhenICI_20130628 | |
| # 模块安装路径 | |
| PREFIX = /work/XiDian_Security_mods | |
| obj-m += security_zd_dvr.o | |
| .PHONY:kmods | |
| kmods: | |
| make -C $(KDIR) M=`pwd` | |
| cp *.ko $(PREFIX) | |
| chmod 777 $(PREFIX)/*.ko | |
| clean: | |
| #-rm -f *.o *.ver *~ *.cmd | |
| make -C $(KDIR) M=`pwd` clean |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //nethook.c | |
| #include <linux/module.h> | |
| #include <linux/kernel.h> | |
| #include <linux/netfilter.h> | |
| #include <linux/netfilter_ipv4.h> | |
| #include <linux/netdevice.h> | |
| #include <linux/skbuff.h> | |
| #include <linux/ip.h> | |
| #include <linux/tcp.h> | |
| static struct nf_hook_ops nfho; | |
| unsigned int hook_func(unsigned int hooknum, | |
| struct sk_buff **skb, | |
| const struct net_device *in, | |
| const struct net_device *out, | |
| int (*okfn)(struct sk_buff *)) | |
| { | |
| #ifdef BASE_TEST | |
| return NF_DROP; | |
| #endif | |
| #ifdef INTF_TEST | |
| if(strcmp(in->name,"eth0") == 0){ | |
| return NF_DROP; | |
| } | |
| #endif | |
| #ifdef ADDR_TEST | |
| static unsigned char *drop_ip = "/x0a/x08/x50/x6c"; | |
| struct sk_buff *sk = *skb; | |
| if(sk->nh.iph->saddr == *(unsigned int *)drop_ip){ | |
| return NF_DROP; | |
| } | |
| #endif | |
| #ifdef PORT_TEST | |
| unsigned char *deny_port = "/x00/x19"; /* port 25 */ | |
| struct tcphdr *thead; | |
| if (!skb ) | |
| return NF_ACCEPT; | |
| if (!(skb->nh.iph)) | |
| return NF_ACCEPT; | |
| if (skb->nh.iph->protocol != IPPROTO_TCP) { | |
| return NF_ACCEPT; | |
| } | |
| thead = (struct tcphdr *)(skb->data +(skb->nh.iph->ihl * 4)); | |
| if ((thead->dest) == *(unsigned short *)deny_port) { | |
| return NF_DROP; | |
| } | |
| #endif | |
| return NF_ACCEPT; | |
| } | |
| static int __init init_nethook(void) | |
| { | |
| nfho.hook = hook_func; | |
| nfho.hooknum = NF_IP_PRE_ROUTING; | |
| nfho.pf = PF_INET; | |
| nfho.priority = NF_IP_PRI_FIRST; | |
| nf_register_hook(&nfho); | |
| return 0; | |
| } | |
| static void __exit exit_nethook(void) | |
| { | |
| nf_unregister_hook(&nfho); | |
| } | |
| module_init(init_nethook); | |
| module_exit(exit_nethook); |
Author
luftreich
commented
Mar 14, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment