ip_local_deliver related query

ip_local_deliver related query

[Vasantha Kumar Puttappa]

Hi,

( I am assuming packet arrival to the local host)

  As far as I know Netfilter hook  for "INPUT" chain is called just before
the ip_local_deliver() function is called. If I am not wrong,
ip_local_deliver function will remove the IP header and gives the packet
to appropriate function in transport layer ( TCP or UDP or ICMP
Process).


 What I am want to do is to change the source IP address of the IP packet
just before calling the ip_local_deliver() using IPtables.

So I want know, will this go smoothly assuming there is a socket waiting
for this kind of packet(packet with new source IP address) or will
something go wrong ?



Please give your valuable feedback and correct me for any wrong
understanding.


-------
Vasanth

Re: ip_local_deliver related query

[Patrick McHardy]

Vasantha Kumar Puttappa wrote:
> Hi,
> 
> ( I am assuming packet arrival to the local host)
> 
>   As far as I know Netfilter hook  for "INPUT" chain is called just before
> the ip_local_deliver() function is called. If I am not wrong,
> ip_local_deliver function will remove the IP header and gives the packet
> to appropriate function in transport layer ( TCP or UDP or ICMP
> Process).
> 
> 
>  What I am want to do is to change the source IP address of the IP packet
> just before calling the ip_local_deliver() using IPtables.
> 
> So I want know, will this go smoothly assuming there is a socket waiting
> for this kind of packet(packet with new source IP address) or will
> something go wrong ?

This is exactly what NAT does. If you use DNAT in LOCAL_OUT, a SNAT
mapping is also set up for LOCAL_IN. The socket lookup is performed
later in the individual protocols, so it will use the rewritten
source address.

Re: ip_local_deliver related query

[Vasantha Kumar Puttappa]

Hi Patrick,
 Thanks for your valueable feedback. I have one more thing to clarify.
 ( Sorry in the previous I made a great mistake, I wanted to change
destination IP address of the packet and not the source IP address).

 ( I am referring to first figure in the following link
http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html)

 If I am not wrong, NAT is being in done in PREROUTING AND POST-ROUTING
stage. But what I want to do is to take packets in FILTER INPUT stage and
change the destination IP address ( I don't want to create any SNAT
corresponding to that) and give it to local process.
(Assume that a socket waiting with that new destination address)

 So, will there be any problem ?


Also, Let me tell you what I am planning to do..

1. Create a TCP socket(connection) with machine ip address X
2. Now I am changing machine IP address to Y
3. Now capture the incoming packets coming to the machine  corresponding
to this TCP connection and replace new IP address Y with X.
  ( Assume that somehow we know which packet belongs to which session)

 So, will socket works fine after doing Destination IP address translation
or will there be any problem as soon as IP address changes ?

Please give me valueable feedback

--------
Vasanth
IIT Bombau





> Vasantha Kumar Puttappa wrote:
>> Hi,
>>
>> ( I am assuming packet arrival to the local host)
>>
>>   As far as I know Netfilter hook  for "INPUT" chain is called just
>> before
>> the ip_local_deliver() function is called. If I am not wrong,
>> ip_local_deliver function will remove the IP header and gives the packet
>> to appropriate function in transport layer ( TCP or UDP or ICMP
>> Process).
>>
>>
>>  What I am want to do is to change the source IP address of the IP
>> packet
>> just before calling the ip_local_deliver() using IPtables.
>>
>> So I want know, will this go smoothly assuming there is a socket waiting
>> for this kind of packet(packet with new source IP address) or will
>> something go wrong ?
>
> This is exactly what NAT does. If you use DNAT in LOCAL_OUT, a SNAT
> mapping is also set up for LOCAL_IN. The socket lookup is performed
> later in the individual protocols, so it will use the rewritten
> source address.
>

Re: ip_local_deliver related query

[Vasantha Kumar Puttappa]

Hi Patrick,
  Thanks for your response. I have one more thing to clarify.
  ( Sorry in the previous I made a great mistake, I wanted to change
  destination IP address of the packet and not the source IP address).

  ( I am referring to first figure in the following link
 http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html)

  If I am not wrong, NAT is being in done in PREROUTING AND POST-ROUTING
 stage. But what I want to do is to take packets in FILTER INPUT stage and
 change the destination IP address ( I don't want to create any SNAT
 corresponding to that) and give it to local process.
 (Assume that a socket waiting with that new destination address)

  So, will there be any problem ?


 Also, Let me tell you what I am planning to do..

 1. Create a TCP socket(connection) with machine ip address X
 2. Now I am changing machine IP address to Y
 3. Now capture the incoming packets coming to the machine  corresponding
 to this TCP connection with new IP addres as destination address
   ( assume that all problems related to TCP binding have been taken care
     and packets are able to reach the machine with new IP address although
     application TCP is still binded to old IP address x)
and replace new IP address Y with old IP address X(in FILTER INPUT stage).


  So, will socket works fine after doing Destination IP address translation
 in FILTER INPUT stage or will there be any problem as soon as IP address
changes ?

 Please give me your valueable feedback


 --------
 Vasanth
 IIT Bombau
>
>
>
>
>
>> Vasantha Kumar Puttappa wrote:
>>> Hi,
>>>
>>> ( I am assuming packet arrival to the local host)
>>>
>>>   As far as I know Netfilter hook  for "INPUT" chain is called just
>>> before
>>> the ip_local_deliver() function is called. If I am not wrong,
>>> ip_local_deliver function will remove the IP header and gives the
>>> packet
>>> to appropriate function in transport layer ( TCP or UDP or ICMP
>>> Process).
>>>
>>>
>>>  What I am want to do is to change the source IP address of the IP
>>> packet
>>> just before calling the ip_local_deliver() using IPtables.
>>>
>>> So I want know, will this go smoothly assuming there is a socket
>>> waiting
>>> for this kind of packet(packet with new source IP address) or will
>>> something go wrong ?
>>
>> This is exactly what NAT does. If you use DNAT in LOCAL_OUT, a SNAT
>> mapping is also set up for LOCAL_IN. The socket lookup is performed
>> later in the individual protocols, so it will use the rewritten
>> source address.
>>
>
>
>

Re: ip_local_deliver related query

[Patrick McHardy]

Vasantha Kumar Puttappa wrote:
> Hi Patrick,
>   Thanks for your response. I have one more thing to clarify.
>   ( Sorry in the previous I made a great mistake, I wanted to change
>   destination IP address of the packet and not the source IP address).
> 
>   ( I am referring to first figure in the following link
>  http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html)
> 
>   If I am not wrong, NAT is being in done in PREROUTING AND POST-ROUTING
>  stage. But what I want to do is to take packets in FILTER INPUT stage and
>  change the destination IP address ( I don't want to create any SNAT
>  corresponding to that) and give it to local process.
>  (Assume that a socket waiting with that new destination address)

NAT is also done in LOCAL_OUT (DNAT) and LOCAL_IN (SNAT).

>   So, will there be any problem ?

No, it will work fine. Again: the socket lookups are done after the
netfilter hooks were called, so they will use the changed IP address.