I have a packet inside a packet a.k.a tunneling. So essentially it's of the following form: [IP HEADER 1][IP HEADER 2][PAYLOAD]
After reading the first header(done by a library) I will get the packet:
[IP HEADER 2][PAYLOAD]
at the INPUT chain of the iptables. I want to re-inject the packet to the starting of the iptables i.e. in the PREROUTING chain. Ultimate aim is to forward the packet to a remote host (that's why I want the packet to be in the PREROUTING chain). I have read something about the libipq but I am not really sure that it is the best way to do it. Any wild suggestion would also help.
I have already posted this question in 'stackoverflow' but since there were no replies, so I thought it is better suited for 'serverfault'.
Asked
Active
Viewed 4,280 times
2
Amit S
- 153
- 1
- 6
3 Answers
3
I agree with MrShunz's answer. Use libnetfilter_queue. To use it, you will need a Linux kernel version 2.6.14 or later built with nfnetlink_queue support. There are two parts to set up:
- Your
iptables/netfilter rules to send packets to user-land, and - your user-land program, which will process the packets as desired and then return them to netfilter.
The iptables rule might look something like this:
IN_INTERFACE=eth0
SOURCE_NETWORK=192.168.66.0/24
QUEUE_NUM=1
iptables -t raw -A PREROUTING -i $IN_INTERFACE -s $SOURCE_NETWORK -j NFQUEUE --queue-num $QUEUE_NUM
This will send all packets coming in through a specific interface from a specific network to your user-land process that is listening on queue number 1.
Your program, which will likely have to be written in C or C++, will use the libnetfilter_queue API. Sorry, I'm not going to write any code here (there is example code in the API docs I linked to), but the basic idea is that your program will:
- read each packet sent to the queue,
- make your desired modifications to the packet,
- and finally, specify a "verdict" to netfilter, saying whether to ACCEPT or DROP the packet. Presumably, you will be ACCEPTing most of the time.
I have not personally used this API, but my reading of the docs is that ACCEPTing a packet actually means to reinject it, as modified, back into netfilter, to continue traversing the iptables rulesets. I could be wrong on this point, so you may want to investigate further before committing to this course of development.
Steven Monday
- 13,599
- 4
- 36
- 45
1
IIRC, to reinject (to the start of the chain, though!), use NF_REPEAT as a verdict.
user61188
- 176
- 1
-
thanks.. btw, where did you find it? It's not even mentioned in the man pages. – Amit S Dec 01 '10 at 12:40
0
Seems like libipq has been deprecated by libnetfilter_queue. The documentation states:
issuing verdicts and/or reinjecting altered packets to the kernel nfnetlink_queue subsystem
seems like what you're looking for...
Daniele Santi
- 2,529
- 1
- 25
- 22
-
Even after using 'libnetfilter_queue'/'libipq'.. I am not able to figure out the mechanism as to how the packet could be transfered to PREROUTING chain. Could you please help me in this regard? – Amit S Nov 30 '10 at 14:36
-
@Amit Sorry, just found it with a little bit of googling. Never used. – Daniele Santi Nov 30 '10 at 15:47
-