Apply rules to 1 UDP port but port used as a socket: possible?

Apply rules to 1 UDP port but port used as a socket: possible?

[zze-Proxy GRALL O ext FTRD/SVA/LAN]

[-- Attachment #1: Type: text/plain, Size: 639 bytes --]

Hello to IPTables users,

I'm trying to use a socket (on port 1727) to decode some proprietary UDP
packets. When I've decoded them I want to apply a DNAT rule (and then a
SNAT  too) to this port using a filter on @IP:port source for all
following packets...

I use libiptc to manage iptables from my application.

My problem is that I can't apply rule to the packets. They all arrive on
the socket. I think it may be due to connection tracking but I would
like your points of view to be sure.

Is there any solution to do it ? For the moment I use v1.2.5a but I'm
installing v1.2.9.

Thanx in advance,

Olivier GRALL.  

[-- Attachment #2: Type: text/html, Size: 1306 bytes --]

Apply rules to 1 UDP port but port used as a socket: possible?

[zze-Proxy GRALL O ext FTRD/SVA/LAN]

Hello to IPTables developpers,

I'm trying to use a socket (on port 1727) to decode some proprietary UDP
packets. When I've decoded them I want to apply a DNAT rule (and then a
SNAT  too) to this port using a filter on @IP:port source for all
following packets...

I use libiptc to manage iptables from my application.

My problem is that I can't apply rule to the packets. They all arrive on
the socket. I think it may be due to connection tracking but I would
like your points of view to be sure.

Is there any solution to do it ? For the moment I use v1.2.5a but I'm
installing v1.2.9.

Thanx in advance,

Olivier GRALL.

Re: Apply rules to 1 UDP port but port used as a socket: possible?

[Antony Stone]

On Tuesday 10 February 2004 1:16 pm, zze-Proxy GRALL O ext FTRD/SVA/LAN wrote:

> Hello to IPTables users,
>
> I'm trying to use a socket (on port 1727) to decode some proprietary UDP
> packets. When I've decoded them I want to apply a DNAT rule (and then a
> SNAT  too) to this port using a filter on @IP:port source for all
> following packets...

I *think* what you're saying is that you want to receive packets on a socket 
bound to port 1727, and *then* you want to NAT the packets (which happens in 
the kernel, around about the routing stage, before they're handed over to a 
listening socket....).

If this interpretation is correct, then the very least reason why you can't do 
what you want is because once the packets have been accepted by a socket, 
they're no longer available to netfilter to be NATted, because they've 
already been delivered.

Have I misunderstood what you're trying to do?   Or are you really trying to 
redirect packets after they've arrived at their destination?

Antony.

-- 
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Apply rules to 1 UDP port but port used as a socket: possible?

[Alex Satrapa]

zze-Proxy GRALL O ext FTRD/SVA/LAN wrote:
> I'm trying to use a socket (on port 1727) to decode some proprietary UDP 
> packets. When I've decoded them I want to apply a DNAT rule (and then a 
> SNAT  too) to this port using a filter on @IP:port source for all 
> following packets…

So do you have Machine F which is the firewall, and machines A, B and C which are the ultimate destinations, and you want to have UDP packets from machine X (elsewhere) being sent to A, B or C  by F based on some information in the first packet F receives from a new host X? You could write your "monitor" to set up new rules based on the first packets that arrive, with the remainder being "deflected" by the firewall rules.

Re: Apply rules to 1 UDP port but port used as a socket: possible?

[Henrik Nordstrom]

On Tue, 10 Feb 2004, zze-Proxy GRALL O ext FTRD/SVA/LAN wrote:

> I'm trying to use a socket (on port 1727) to decode some proprietary UDP
> packets. When I've decoded them I want to apply a DNAT rule (and then a
> SNAT  too) to this port using a filter on @IP:port source for all
> following packets...

This will be tricky if you accept the packet on the socket. The problem is 
that the connection entry is then already set up and can not be NAT:ed.

You should be able to use QUEUE in a table before nat PREROUTING such as
mangle PREROUTING, allowing you to inspect the packet before the
connection is set up.

Regards
Henrik