Introduction to Packet Interception Using Netfilter

In the first blog of this series, we will focus on the concept of packet interception in user space and later on we will also look into use cases pertaining to this concept.

Such a user space agent can be developed using C (Python also has a similar set of libraries.) on a linux based OS.

Following external libraries would be required:

* libnfnetlink: A low level library for kernel/userspace communication

* libnetfilter_queue: A userspace library providing an API for packets queued by kernel

* libmnl: Internally used by libnetfilter_queue

Additionally, a command line utility called IPTABLES is also needed in order to install rules.

Installation steps

Following steps are sufficient to manually install these libraries:

mkdir /some/path/libs
cd /some/path/libs
git clone git://
git clone git://
cd libnfnetlink
./configure --prefix=/usr
sudo make install
sudo apt-get install libmnl-dev
cd ../ libnetfilter_queue
./configure --prefix=/usr
sudo make install

The IPTABLES utility is installed by default and is set to allow all traffic. Also, note that the iptables command can be useful only when run as root.


The task of delegating the decision on packets to a user space agent can be done using IPTABLES tool. The command required for doing this is:

sudo iptables -A OUTPUT -p ip -j NFQUEUE –queue-num 0

Options used above signify:

* -A : append a new rule to iptables (OUTPUT rule in this case)

* -p : protocol (IP)

* -j: Target for the packets (NFQUEUE number 0 is the target here)

Using the above command, we inform the kernel that all the outgoing packets should be added to a queue NFQUEUE (Netfilter queue) with queue-number as 0.

After this is done, it is the responsibility of the agent to listen to the NFQUEUE number 0 and issue a verdict on the packets in this queue thus giving them back to kernel space. Verdict setting is done using libnetfilter_queue capabilities.

A verdict can be any of the following:

* NF_ACCEPT: let the packet pass

* NF_DROP: drop the packet

* NF_STOLEN: take the packet and don’t let it pass

* NF_QUEUE: queue the packet

* NF_REPEAT: call the hook again

In the next blog, we will be looking into a simple agent in C which can modify, forward or drop an IP packet.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s