Network manipulation

Packet Squirrel and networking

The DuckyScript for Packet Squirrel commands allow simple configuration of the Packet Squirrel networking, but they are not the only options available: The Packet Squirrel is a Linux-based networking device, and the full power of the Linux networking stack and low-level tools are available to payloads.

IPTables and NFTables

When it comes to network security in Linux, two of the most important tools are iptables and nftables. These are both firewall frameworks that allow you to control network traffic by filtering and forwarding packets based on specific rules.

Iptables has been the traditional firewall framework used in Linux for many years, and it is still widely used today. It works by creating a set of rules that specify what to do with incoming and outgoing packets. Each rule is made up of several components, including a chain, a match, and an action. The chain determines which network traffic the rule applies to, the match specifies the conditions that the packet must meet, and the action determines what happens to the packet if it meets those conditions. For example, a rule might specify that any incoming packets on the "INPUT" chain that match the condition "destination port is 22" should be accepted, while all other packets should be dropped.

Nftables, on the other hand, is a more recent firewall framework that was introduced in Linux kernel 3.13. It is intended to replace iptables in the long term, and it offers several advantages over its predecessor: nftables has a more user-friendly syntax and can handle more complex filtering rules than iptables. Like iptables, nftables uses chains and rules to filter network traffic. However, nftables organizes these chains and rules into a hierarchical structure, which makes it easier to manage complex firewall policies.

Both iptables and nftables are extremely powerful tools that can be used to secure your Linux system against network attacks. However, they can also be complex and difficult to use, especially for beginners. It's important to approach them with caution and make sure you understand how they work before making any changes to your network configuration.

The OpenWRT framework uses NFTables heavily to configure the system-wide network and firewall rules based on the configurations in /etc/config/network, /etc/config/firewall, and the files in /etc/nftables.d/.

NFTables and the Packet Squirrel

The Packet Squirrel uses NFTables internally for controlling the network: When setting a network mode via NETMODE, under the covers the system is setting network interface configurations and nftables rules.

The Packet Squirrel includes a translation layer to convert most iptables commands to the equivalent nftables command. Typically this allows the use of most legacy iptables commands with no change.

The Packet Squirrel is built on top of the OpenWRT Linux distribution, which is a popular system for embedded devices and other small hardware.

To understand how the Packet Squirrel and OpenWRT work together with NFTables, it's important to understand some basics:

1. Tables: Nftables organizes firewall rules into tables. Each table is a container for one or more chains, which define how the firewall should process packets. You can create tables using the nft command:

This creates a new table called "mytable" in the "inet" family (IPv4 or IPv6).

1. Chains: Each table contains one or more chains, which define the set of rules that apply to a specific type of traffic. There are three built-in chains in nftables: input, output, and forward. You can create a new chain using the nft command:

This creates a new chain called "mychain" in the "mytable" table, with a filter type and a hook for incoming traffic on the input interface. The priority is set to 0, which means this chain will be processed before any other chains with a higher priority.

1. Rules: Each chain contains one or more rules, which define how to handle packets that match a specific set of criteria. You can add rules to a chain using the nft command:

This rule accepts all TCP packets that are destined for port 22 (SSH), and applies to the "mychain" chain in the "mytable" table.

1. Policies: Each chain has a default policy that specifies what to do with packets that do not match any of the rules in the chain. You can set the default policy using the nft command:

This sets the default policy for the "mychain" chain in the "mytable" table to drop any packets that do not match any of the rules.

These are just a few basic examples of how to use nftables on Packet Squirrel. There are many more options and features available, so it's important to consult the nftables documentation for full in-depth information.

Packet Squirrel network interfaces

When writing advanced payloads which change the packet rules, it's important to understand how the Packet Squirrel organizes the network.

The Packet Squirrel has two Ethernet interfaces:

• eth0 is connected to the Network port

• eth1 is connected to the Target port

How the interfaces are logically arranged depends on the network mode the payload uses:

• NAT: eth1 is connected to a virtual bridge interface, br-lan. eth0 is directly connected to the network. Traffic from eth1 is translated to the IP on eth0.

• BRIDGE: eth1 and eth0 are both connected to a virtual bridge interface, br-lan. Simultaneously, eth0 is directly connected to the network and obtains an IP. Traffic from eth1 is passed to eth0 without modification.

• TRANSPARENT: eth1 and eth0 are both connected to a virtual bridge interface, br-lan. The Packet Squirrel does not have an IP itself, and can not connect to any external resources. Traffic from eth1 is passed to eth0 without modification.

• JAIL: eth1 is disconnected from the virtual bridge interface. eth0 is directly connected to the network. Traffic from eth1 is ignored.

• ISOLATE: eth1 and eth0 are both disconnected. The Packet Squirrel has no IP and the Target devices can not connect. No traffic is passed.