Can tcpdump capture received UDP packets with checksum errors? - udp

I tried using the following command to capture udp packets with incorrect checksum, 10.192.132.66 is local ip, but nothing is get, why?
tcpdump -ni any -vvv udp and dst host 10.192.132.66 | grep 'bad udp cksum'
but the following command can capture tcp packets with incorrect checksum.
tcpdump -ni any -vvv tcp and dst host 10.192.132.66 | grep 'incorrect'

Related

AWS ubuntu iptable port forwarding between its two interfaces

I have an AWS ubuntu instance with the following network interfaces:
ens5, ip: 172.XX.XX.XX
A5TAP, ip:192.168.233.1 (VPN)
How do I udp port forward port 10000-10200 to 192.168.233.52:10000-10200?
I tried a the obvious commands below for a single port 10009, but it is not working:
sudo iptables -t nat -A PREROUTING -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
sudo iptables -t nat -A POSTROUTING -p udp -d 192.168.233.52 --dport 10009 -j SNAT --to-source 172.XX.XX.XX
sudo iptables -t nat -L -n
=======What I tried so far:
I am trying to port forward port 10009 all udp traffic to ens5, to 192.168.233.52 in A5TAP:
172.XX.XX.XX:10009 -> 192.168.233.52:10009
The udp stream is a video stream.
I followed this tutorial, but it is not working. As when I shoot the udp stream to 172.XX.XX.XX:10009, no video is showing.
If I do sudo tcpdump -i ens5 -n udp port 10009:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
14:08:51.035226 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 1400
14:08:51.035703 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 510
(and so on....)
That means my AWS instance is receiving the video stream from my machine.
But when I do sudo tcpdump -i A5TAP -n udp port 10009, there are no traffics.
If I joined the machine with video stream to A5TAP VPN, and send udp stream to 192.168.233.52:10009, I can see the stream.
Thanks to maxstr's answer, the port forwarding between interfaces in the same machine worked:
sudo tcpdump -i A5TAP -n udp port 10009:
07:45:53.701800 IP 192.168.233.1.49538 > 192.168.233.52.10009: UDP, length 700
I believe what you want is the following:
sudo iptables -t nat -A OUTPUT -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
because the PREROUTING chain will not be in the path of local outbound traffic. OUTPUT will.

How to record the packets after iptables?

I want to record the packets (using tcpdump) after iptables, but it seems that tcpdump will record all the packets. I don't want the packet dropped by iptables.
Is there any way to
record the packets after iptables? or
output the packets (processing by iptables) into pcap/log file?
Thanks.
Tcpdump acts before iptables for inbound traffic, but you can use iptables "NFLOG" extension to reach your goal: http://ipset.netfilter.org/iptables-extensions.man.html#lbDI
Using "NFLOG" destination you can log desired packets to userspace application, and that's where tcpdump belongs (you can also assign traffic to a specific group and then tell tcpdump to listen from it).
Webserver (very basic) example, let's pretend you are accepting http/https traffic and dropping ssh:
#BASIC RULES
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
#NFLOG REDIRECT ONLY HTTP TRAFFIC
iptables -A INPUT -p tcp --dport 80 -j NFLOG
#TCPDUMP ONLY ON MATCHED TRAFFIC (=HTTP)
tcpdump -i nflog

Set UDP port of VLC server for RTP streaming on Windows 10

I ran into an issue when streaming a video using RTP with VLC in Windows 10.
I have 2 laptops, one for streaming a short video using RTP over UDP and another one for receiving and displaying the video stream.
My concern is that I can stream to a given destination address and port e.g. 10.0.0.140:5006 but I cannot stream from the same port of a given address e.g. 10.0.0.130:5006. The server port (one the first laptop) has to be the same as the client port.
I followed a tutorial to stream a video using RTP / MPEG Transport Stream and I checked on Wireshark but I always have the streaming source port not set to 5006 as I wanted (Instead, it opens random server ports).
I checked on the internet for an answer to this but I found nothing helpful for my problem. I also checked in VLC preferences I set RTP port to 5006 but still the same behavior...
Does anyone know how to change udp server port of VLC to stream exclusively from port 5006 ?
Thanks!
I finally found out the solution by myself.
I did not set a static UDP server port, but I redirect the packets on postrouting using Ubuntu over a Virtual Machine.
To post-redirect the packets, I opened a terminal, and followed the two following steps:
Declare the wanted UDP port number in iptables
iptables -A OUTPUT -p udp --sport 5006 --dport 5006 -j ACCEPT
Redirect output data in nat's table to the previously declared UDP port number
iptables -t nat -A POSTROUTING -o eth0 -p udp -j SNAT --to :5006
This method allows to redirect any UDP packets output to source port 5006 before sending them on the network.

iptables to allow only first udp packet and drop remaining all udp packets for next 10 seconds

How to make iptable to allow only first udp packet from a source and block subsequent packets from that source for next 10 seconds.
On a linux server receives first udp packet from the client, if response is delayed by 100 ms, client is keep on sending request packet for every 100ms until client receives response.
To avoid this, at server only first packet must be received and subsequent packets should be dropped.
I tried dropping first 4 packets and responding to only 5th packet using below iptables.
iptables -A INPUT -p udp -m recent --name attack --set
iptables -A INPUT -p udp -m recent --name attack --rcheck --seconds 10 --hitcount 4 -j ACCEPT
iptables -A INPUT -p udp -j DROP

iptables block INPUT port 80

My question is for general understanding and not for fixing an issue that I have.
I managed to run iptables -A OUTPUT -p tcp --dport 80 -j REJECT and block http requests. When I ran curl http://b.scorecardresearch.com/beacon.js I've got curl: (7) Failed to connect to b.scorecardresearch.com port 80: Connection refused
Then I deleted the OUTPUT rule and created an INPUT rule iptables -A INPUT -p tcp --dport 80 -j REJECT. I could then access curl http://b.scorecardresearch.com/beacon.js with no problems at all.
I understand why the outgoing request was not blocked but when I make an http request, doesn't the response return on the same port (80) and should be blocked by the INPUT REJECT of port 80?
When you create a TCP connection, the client port is random and different than the destination port (80 here). You can see that by running: netstat -pant in your terminal:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.41:39878 201.15.39.91:80 ESTABLISHED 2270/firefox
That's why blocking the incoming packets that target port 80 doesn't forbid you to reach HTTP servers. However, if you have an HTTP server, it won't be accessible anymore on port 80.