Make a blackhole in 45 lines with Netfilter in Kernel-land

Make a blackhole in 45 lines with Netfilter in Kernel-land


 // blackhole (telescope) for port 3000, by [email protected] 
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/ip.h>

static struct nf_hook_ops nfho; //net filter hook option struct
struct tcphdr *tcp_header; //udp header struct (not used)
struct iphdr *ip_header; //ip header struct

unsigned int hook_func(
  const struct nf_hook_ops *ops, 
  struct sk_buff *skb, 
  const struct net_device *in, 
  const struct net_device *out, 
  int (*okfn)(struct sk_buff *)) {

  ip_header = (struct iphdr *)skb_network_header(skb);
  if (ip_header->protocol == /* TCP */ 6) {
    tcp_header = tcp_hdr(skb);
    u32 saddr, daddr;
    u16 sport, dport;
    saddr = ntohl(ip_header->saddr);
    daddr = ntohl(ip_header->daddr);
    sport = ntohs(tcp_header->source);
    dport = ntohs(tcp_header->dest);

    if (sport == 3000) { // if packet from local port 3000, drop it.
      printk(KERN_INFO "got tcp packet at 3000 port.\n");
      return NF_DROP;
  return NF_ACCEPT;

int init_module() {
  nfho.hook = hook_func;
  nfho.hooknum = NF_INET_LOCAL_OUT; = PF_INET;
  nfho.priority = NF_IP_PRI_FIRST;
  return 0;

void cleanup_module() {


MOD := hookModule
obj-m += $(MOD).o
KVERSION := $(shell uname -r)

	$(MAKE) -C /lib/modules/$(KVERSION)/build M=$(PWD) modules

	$(MAKE) -C /lib/modules/$(KVERSION)/build M=$(PWD) clean

	/sbin/insmod $(MOD).ko

	/sbin/rmmod $(MOD).ko


Detail about Netfilter

Grab TCP Header

‘NF_IP_LOCAL_OUT’ undeclared

Error compiling kernel module linux/module.h: No such file or directory found

Author face

Sheng-Hao Ma

Sheng-Hao Ma (aaaddress1, adr) is a core member of CHROOT Security Group and TDOHacker security community in Taiwan. He has over 10-year experience in reverse engineering, machine language, and Intel 8086. He experts in Windows vulnerability, Exploit, and Reverse Engineering. Moreover, Sheng-Hao Ma was also a speaker at Black Hat, DEFCON USA, beVX, VXCON, HITCON (Hackers In Taiwan Conference), SITCON (Students In Taiwan Conference) and iThome#Chatbot.

Recent post