I want to process IP-packets in my app like encrypting them, remove "bad" ones etc if they match some rule (say for example destination ip) and then send to destination. I think I can use for that purpose REDIRECT of iptables. I know that after forwarding packets to my app the original destination address will be overwritten but there is a solution:
iptables overrites the original destination address but it remembers the old one. The application code can then fetch it by asking for a special socket option, SO_ORIGINAL_DST
static int getdestaddr_iptables(int fd, const struct sockaddr_in *client, const struct sockaddr_in *bindaddr, struct sockaddr_in *destaddr) { socklen_t socklen = sizeof(*destaddr); int error; error = getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, destaddr, &socklen); if (error) { log_errno(LOG_WARNING, "getsockopt"); return -1; } return 0; }solution taken from here
For this purpose I also configured IPv4 forwarding by doing this:
sysctl -w net.ipv4.ip_forward=1
But then by trying to set iptable's rule, I've got an error
My rule is: iptables -t nat -A OUTPUT -p ip -j REDIRECT --to-port 666
Error: iptables v1.4.21: Need TCP, UDP, SCTP or DCCP with port specification1
I'm really newbie in iptables and in such theme in general. Can somebody tell me what I doing wrong? Why it can't do redirect with IP? And is my idea correct? I know also about divert-sockets, but they don't support fragmentation.
UPD1 Let me get straight about my problem: I want my device which is connected to internet be kind of gateway for incoming/outgoing connections. And I want to process those packets with help of my app. Some packets I will modify if they match some rule, other - just send forward without any modifications. And the laptop is "getting the internet" with help of that device
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire