Python iptables忽略scapy发送的包_Python_Linux_Iptables_Scapy

Python iptables忽略scapy发送的包

python linux

Python iptables忽略scapy发送的包,python,linux,iptables,scapy,Python,Linux,Iptables,Scapy,对于Scool的项目，我需要嗅探新tcp握手包的网络流量。我想为这个tcp连接自动创建一个新的iptables规则到docker容器中 #!/usr/bin/env python2 import subprocess from scapy.all import * def find_tcp_handshake(port, docker_ip): global SYN global ACK # sniff for new syn package and send the

对于Scool的项目，我需要嗅探新tcp握手包的网络流量。我想为这个tcp连接自动创建一个新的iptables规则到docker容器中

#!/usr/bin/env python2

import subprocess
from scapy.all import *

def find_tcp_handshake(port, docker_ip):
    global SYN
    global ACK
    # sniff for new syn package and send the package to function process_handshake()
    sniff(lfilter=lambda x: x.haslayer(TCP) and str(x[TCP].dport) == port and x[TCP].flags & SYN and not x[TCP].flags & ACK, prn = lambda x:     process_handshake(paket = x, port = port, docker_ip = docker_ip))

def process_handshake(paket, port, docker_ip):
    # get the four tcp parameter (destination an source - port and ip)
    destination_port = port
    source_ip = str(paket[IP].src)
    source_port = str(paket[TCP].sport)
    # add the iptables rule
    add_ipt_rule(destination_ip = docker_ip, destination_port = destination_port, source_ip = source_ip, source_port = source_port)
    # remove the ethernet layer (make sometimes problems)
    paket = paket[IP]
    # remove checksums (make sometimes problems)
    del paket[TCP].chksum
    del paket[IP].chksum
    # this package will not arrive the docker container
    send(paket)

# funktion to send commands to bash
def command (c):
    return subprocess.Popen(c.split(" "), stdout=subprocess.PIPE).stdout.read().rstrip()

# this rules are created from docker by default with the argument -p 80:80. I've added the source_ip and source_port part
def add_ipt_rule(destination_ip, destination_port, source_ip, source_port):
    command("iptables -I DOCKER -d " + destination_ip + "/32 -s " + source_ip + " ! -i docker0 -o docker0 -p tcp -m tcp --dport " + destination_port + " -j     ACCEPT")
    command("iptables -t nat -I POSTROUTING -s " + destination_ip + "/32 -d " + destination_ip + "/32 -p tcp -m tcp --dport " + destination_port + " -j     MASQUERADE")
    command("iptables -t nat -I DOCKER ! -i docker0 -p tcp -m tcp -s " + source_ip + " --sport " + source_port + " --dport " + destination_port + " -j     DNAT --to-destination " + destination_ip + ":" + destination_port)

# my original script creates docker container itself and manage these in a sqlite database
def main():
    docker_ip = "127.17.0.2"
    port = "80"
    find_tcp_handshake(port = port, docker_ip = docker_ip)


# TCP-Flags for sniff rule (not all in use)
FIN = 0x01
SYN = 0x02
RST = 0x04
PSH = 0x08
ACK = 0x10
URG = 0x20
ECE = 0x40
CWR = 0x80

if __name__ == "__main__":
    main()

嗅探正在工作，iptables命令正在工作

问题是当我用scapy重新发送包时。应将其转发至docker容器。但是这个包从来没有达到iptables规则。当我从客户端重新发送包时，规则正在运行

scapy上是否有将包发送到iptables的方法？

scapy以低级别发送包，netfilter看不到这些包。如果要发送netfilter看到的数据包，可以从另一台计算机发送，也可以使用常规的

socket

API让主机的IP堆栈为您发送数据包