Docker container with an example python script to listen for packets on
a netfilter queue and manipulate them with scapy. You can listen on any queue number, and you can push packets into the queue from any iptables rule.
This container gives you a powerful prototyping and debugging tool for monitoring, manipulating, dropping, accepting, requeing, or forwarding network packets in python.
You can read from a queue on the host with
Or, you can run it within another container's namespace to listen
for packets on an nfqueue in that container's network namespace.
This container includes a full installation of scapy and python netfilter queue
(nfqueue) bindings, and an example python script
print incoming packets on the queue.
scapy: https://awesomeopensource.com/project/secdev/scapy python-netfilterqueue: https://awesomeopensource.com/project/kti/python-netfilterqueue
Clone this repository
git clone [email protected]:milesrichardson/docker-nfqueue-scapy.git
Build the docker container. This will take a while because it includes the
full scapy install and all its dependencies. You can use any tag you want, but
as an example here I'm using
cd docker-nfqueue-scapy sudo docker build . -t nfqueuelistener
iptables on the host to send TCP packets destined for port
sudo iptables -t raw \ -A PREROUTING \ -p tcp --destination-port 9001 \ -j NFQUEUE --queue-num 1
Run the docker container to listen for packets and print then accept any received packets.
sudo docker run -it --rm \ --cap-add=NET_ADMIN \ --net=host \ --name=nfqueuelistener nfqueuelistener
From another machine, send some packets to test:
echo "Hello" | nc -v $HOST_IP_ADDRESS 9001
You should see something like this:
[email protected]:~/testing$ sudo docker run -it --rm --cap-add=NET_ADMIN --net=host --name=nfqueuelistener nfqueuelistener Listening on NFQUEUE queue-num 1... <IP version=4L ihl=5L tos=0x0 len=64 id=6387 flags=DF frag=0L ttl=55 proto=tcp chksum=0x6850 src=18.104.22.168 dst=22.214.171.124 options= |<TCP sport=58164 dport=9001 seq=4038873318 ack=0 dataofs=11L reserved=0L flags=S window=65535 chksum=0x67be urgptr=0 options=[('MSS', 1452), ('NOP', None), ('WScale', 5), ('NOP', None), ('NOP', None), ('Timestamp', (2615879909, 0)), ('SAckOK', ''), ('EOL', None)] |>>
The default queue number is
1. You can override this by setting the environment variable
QUEUE_NUM when running the container. For example, for queue
sudo docker run -it --rm \ -e 'QUEUE_NUM=2' \ --cap-add=NET_ADMIN \ --net=host \ --name=nfqueuelistener nfqueuelistener
One way to edit the
nfqueue_listener.py file is to simply edit it and then rebuild
the container with
sudo docker build . -t nfqueuelistener. Since you are only
editing the python file, building will not take as long as the first build.
You can find the documentation for the nfqueue library used at https://awesomeopensource.com/project/kti/python-netfilterqueue
I have not tested this, but it should work.
Say you have another container
$CONTAINER_ID and you want to intercept incoming
packets in its namespace. You can run this docker container like:
sudo docker run -it --rm \ --net=container:$CONTAINER_ID \ --name=nfqueuelistener nfqueuelistener
Note that you will need to run your
iptables rules to send packets to the queue
from within the
scapy is hardcoded version
2.3.2 because there is a bug in
scapy to fail on openstack deployments. The bug is actually upstream in openstack,
and has been fixed, but this caused problems for me testing on packet.net where
they have apparently not updated openstack yet.