Redirect IP-packets to my Application and then send them forward
Question
I want to process IP-packets in my app like encrypting them, remove "bad" ones etc if they match some rule (say for example destination ip) and then send to destination. I think I can use for that purpose REDIRECT of iptables. I know that after forwarding packets to my app the original destination address will be overwritten but there is a solution:
iptables overrites the original destination address but it remembers the old one. The application code can then fetch it by asking for a special socket option, SO_ORIGINAL_DST
static int getdestaddr_iptables(int fd, const struct sockaddr_in *client, const struct sockaddr_in *bindaddr, struct sockaddr_in *destaddr) { socklen_t socklen = sizeof(*destaddr); int error; error = getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, destaddr, &socklen); if (error) { log_errno(LOG_WARNING, "getsockopt"); return -1; } return 0; }solution taken from here
For this purpose I also configured IPv4 forwarding by doing this:
sysctl -w net.ipv4.ip_forward=1
But then by trying to set iptable's rule, I've got an error
My rule is: iptables -t nat -A OUTPUT -p ip -j REDIRECT --to-port 666
Error: iptables v1.4.21: Need TCP, UDP, SCTP or DCCP with port specification1
I'm really newbie in iptables and in such theme in general. Can somebody tell me what I doing wrong? Why it can't do redirect with IP? And is my idea correct? I know also about divert-sockets, but they don't support fragmentation.
UPD1 Let me get straight about my problem: I want my device which is connected to internet be kind of gateway for incoming/outgoing connections. And I want to process those packets with help of my app. Some packets I will modify if they match some rule, other - just send forward without any modifications. And the laptop is "getting the internet" with help of that device
1 answers
solution1
1 2015-08-05 09:07:29
The IP protocol simply does not have port numbers. TCP and UDP both offer 65536 ports, but these are unrelated. One is a 2 byte field in the TCP header, the other is a 2 byte field in the UDP header. ICMP (ping) does not have ports at all.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.