using libipq to create a router

using libipq to create a router

[Eduardo Costa]

Hi, there !

I want to create a little program to route connections with libipq and 
nat table.

Something like that: client connects with master server, but it will 
only route this connection to another computer.

Pretty simple, but I need this info to create something bigger. I tried 
to change the IP header packet, but somehow it only worked with ICMP. I 
guess it's a problem with nat/conntrack, but there's no example mixing 
conntrack and libipq.

BTW, I don't want to make a kernel module and a libipt_XXX.so, because I 
think it's a solution bigger than the problem.

Thanks in advance,
Eduardo Costa

Re: using libipq to create a router

[Eduardo Costa]

So, what happens if I want to NAT a trivial protocol, like HTTP ?

BTW, is there any "hello world" example for conntrack ? I've played 
creating kernel modules pretty easy, but the documentation about 
creating new routing nat targets are poor. The only good examples are 
'masquerade' and 'redirect', but they lack comments.

Thanks,
Eduardo Costa

Henrik Nordstrom wrote:

>You can't NAT non-trivial protocols via libipq unless you are implementing
>the full conntrack+nat in your application and not using the kernel
>conntrack/nat support at all (must not be loaded into the kernel). Any NAT
>done via libipq does not play well together with conntrack and the
>iptables nat engine is completely unaware of your packet modifications.
>
>For NAT together with iptables conntrack/nat you really need to use kernel
>modules in the nat iptable.
>
>Regards
>Henrik
>
>
>
>  
>

Re: using libipq to create a router

[Henrik Nordstrom]

On Tue, 23 Sep 2003, Eduardo Costa wrote:

> Pretty simple, but I need this info to create something bigger. I tried 
> to change the IP header packet, but somehow it only worked with ICMP. I 
> guess it's a problem with nat/conntrack, but there's no example mixing 
> conntrack and libipq.

You can't NAT non-trivial protocols via libipq unless you are implementing
the full conntrack+nat in your application and not using the kernel
conntrack/nat support at all (must not be loaded into the kernel). Any NAT
done via libipq does not play well together with conntrack and the
iptables nat engine is completely unaware of your packet modifications.

For NAT together with iptables conntrack/nat you really need to use kernel
modules in the nat iptable.

Regards
Henrik

Re: using libipq to create a router

[Henrik Nordstrom]

On Tue, 23 Sep 2003, Eduardo Costa wrote:

> So, what happens if I want to NAT a trivial protocol, like HTTP ?

HTTP is not trivial. HTTP is on top of TCP which is not trivial.

Regards
Henrik