Hi,

I am new to Linux but have some C coding skills. I am using Fedora Core 11 (2.6.29.6-217.2.7.fc11.x86_64). What I want to develop is a firewall, but with some other capabilities.

Here is what I want to do:
1. I want to catch all HTTP, IRC and P2P traffic.
2. I want to be able to dump all outgoing and incoming packets (in a file) for these protocols in each communication session as a separate group of packets for later analysis.
3. I want to inspect contents of each incoming and outgoing packet online and based on that, decide whether to allow that packet to continue or drop it and also dump it in a file.

I am not sure but I think adding a netfilter module is probably one way to do this. I am wondering if there are other better and easier ways.

Before starting the coding, I want to be sure I am doing it in a right way. So, please suggest me some way. I also don't know whether or not I am reinventing the wheel. In that case, can anyone please provide me the resources?

Thanks in advance.

- Arafat

Netfilter is one of the things you will definitely use. Remember, however, that it is important for the code of your module to be simple and fast. Too complicated code can easily slow down the machine. Another question is how you'd decide if the packet is P2P, for instance, or not. This is not trivial. Usually you need to examine content, sometimes also rebuild the transactions, so you (and your software) need to understand the protocols.

Instead, you may do it in userspace (all except point 3) by using pcap library. You should also think if it is better to drop the connection immediately in the kernel module, or to allow this packet pass, process it in userspace and decide to blacklist the flow. The decision depends on many factors.

I don't think that you do. Or, at least, to do what you want to do, in as much as I understand it, you shouldn't. You might still want to in spite of it not being a particularly useful way to make progress, but, in that case, I don't think I can help.


Up to a point, doing that with a firewall isn't too bad, but its an extra few rules for the existing netfilter/iptables firewall. Read the tutorial at frozentux if that's still of interest. (I assume that, eg, http traffic can be relied on to come in the standard ports for http traffic. If you think that the problem is the someone is managing to divert http traffic around the normal mechanism that makes things more fun.)

You could do that, but the performance would be terrible. Put another way, it will only be practical if the data rate is low. OTOH, if you are prepared to capture packets with wireshark (or other similar util) this is more possible because you don't save packets to disk at capture time, although you may do that later. And it may entail some sampling rather than 100% capture, depending on whether you can define useful filters.

If I have understood (by 'online' do you mean something like 'in real time'?) this starts to get difficult however you do it. I am imagining you sat at a console watching traffic and deciding what action to take as packets fly past you.

(Or when you say 'I' do you mean 'the computer based on some algorithm'?)

If you are trying to do something like watch the packets, occasionally see accesses to a bad site and take action on that, you could consider setting up a firewall (or squid...there advantages to that) which takes in a blacklist of your bad sites and you could occasionally add to your blacklist, that would be easier.

So the first thing to decide is whether this 'blacklist method' would be adequate for your needs.

Hi,
As said above, in order to code point 1 of your post, you should understand the protocols.
Concerning inspecting packets contents, you can do it in userspace mode.
If you want to inspect technical information (ip addresses, protocols...) then use the libiptc library.
If you want to inspect data contained in the packets, then use the libpcap library.
Personnally, I've never used libpcap. I've just read some tutorials but it seems to be a good tool.
Concerning libiptc, I've used it to develop a packet filter. It allows you to use the C language to manage iptables rules.
Good luck.

Thanks all of you for your replies.