locked
WFPSampler Port Redirection Help RRS feed

  • Question

  • I have tried for several hours now to get this to work right and just cannot make it happen.  Seems like such a basic thing to do.

    I want to redirect TCP connections to 127.0.0.1:22 to 127.0.0.1:2222.

    There is another process running which is bound to 0.0.0.0:22 and I need to take over just 127.0.0.1.  Can't that be done?


    WFPSampler.exe -s BASIC_PACKET_MODIFICATION -l FWPM_LAYER_OUTBOUND_TRANSPORT_V4 -ipra 127.0.0.1 -iprp 22 -mtdp 2222 -v
    WFPSampler.exe -s BASIC_PACKET_MODIFICATION -l FWPM_LAYER_OUTBOUND_IPPACKET_V4 -ipra 127.0.0.1 -iprp 22 -mtdp 2222 -v
    WFPSampler.exe -s BASIC_PACKET_MODIFICATION -l FWPM_LAYER_INBOUND_IPPACKET_V4 -ipra 127.0.0.1 -iprp 2222 -mtsp 22 -v
    WFPSampler.exe -s BASIC_PACKET_MODIFICATION -l FWPM_LAYER_INBOUND_TRANSPORT_V4 -ipra 127.0.0.1 -iprp 2222 -mtsp 22 -v

    As soon as I do that, I loose connectivity on 127.0.0.1:22.

    Help?

    Sunday, February 16, 2014 12:20 AM

All replies

  • The original version of the WFPSampler did not support modifying the transport header at the IPPACKET layers.  This support was commented out as it required more rigorous checks than I had time for.  So the first question I have is, did you write code to achieve this functionality?

    For the redirection you are performing, you should be using the FWPM_LAYER_ALE_CONNECT_REDIRECT_V4.  (This is in the PROXY Scenario). From my understanding, you are not actually proxying the data, however the CONNECT REDIRECT layer will change the tcb of the connection so that 127.0.0.1:22 now flows to 127.0.0.1:2222.

    If using legacy redirection (as you are doing), you need to sit at FWPM_LAYER_OUTBOUND_TRANSPORT_V4 and FWPM_LAYER_INBOUND_IPPACKET_V4.  The other filters you have listed likely won't get hit.  Additionally, IPPACKET doesn't support REMOTE_PORT, so your filter is being invoked for all traffic to 127.0.0.1.

    Your commands would look thusly:
    WFPSampler.exe -s BASIC_PACKET_MODIFICATION -l FWPM_LAYER_OUTBOUND_TRANSPORT_V4 -ipp TCP -ipra 127.0.0.1 -iprp 22 -mtdp 2222 -v

    WFPSampler.exe -s BASIC_PACKET_MODIFICATION -l FWPM_LAYER_INBOUND_IPPACKET_V4 -ipra 127.0.0.1  -mtdp 22 -v
    (And you will need to add code in the callout to verify this is the traffic you do want to modify (i.e. inspect the TL header and verify its TCP and source port 2222 + modification of the TCP header)

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, February 17, 2014 7:04 PM
    Moderator
  • Thank you Dusty.  This helps, I had assumed wrong about the support in WFPSampler.

    Now to get this working in some custom code.

    --Ben

    Monday, February 17, 2014 9:56 PM
  • The sampler will be updated in the near future (April?), and will have this support.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, February 17, 2014 11:05 PM
    Moderator