* question on extern exec prog with iptables.
@ 2008-11-15 6:38 sebastien
2008-11-15 7:04 ` Grant Taylor
0 siblings, 1 reply; 2+ messages in thread
From: sebastien @ 2008-11-15 6:38 UTC (permalink / raw)
To: netfilter
Hi all,
I have a web server which send "wrong" html to the client and I would
like to be able to correct this "wrong" html by reforming packets and
send them an the network.
The problem is that iptables or ip6tables won't be natively able to send
me the original destination client's address and port of server's
answer : am I wrong ? iptables and ip6tables will form a new address and
port destination and that'all.
If so, I need a way to send the exact port of the original packet to the
corrective program : the one which will desserve transparently the
client called by ? ... iptables or ip6tables.
Legacy, with "wrong" html :
---------- --------------
+ Client + <---> + Web Server +
---------- --------------
Result, hopefully wanted, after transformation :
---------- -------------- ---------------------- ----------
+ Client + --> + Web Server + --> + corrective program + --> + Client +
---------- -------------- ---------------------- ----------
As you can see, I have no way to see packet from Client to Server. I
suppose that the only "strange" packet from Client is a change port
asking which the server answer (tcp option). Corrective program will not
touch thoses packets : it simply "re-arrange" packet at application
level to the client and deliver it to the good port (the one of the
server originaly send to).
Does iptables and ip6tables modules can do this ? Call a extern program
with the full packet content of the server.
Thanks by advance, best regards.
See ya.
Sébastien
Nota : one can notice iptables and ip6tables mention. The production
server is on Ipv4 and I only can reproduce an Ipv6 laboratory. So, I
need a way to make the job with both protocols.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: question on extern exec prog with iptables.
2008-11-15 6:38 question on extern exec prog with iptables sebastien
@ 2008-11-15 7:04 ` Grant Taylor
0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2008-11-15 7:04 UTC (permalink / raw)
To: Mail List - Netfilter
On 11/15/2008 12:38 AM, sebastien wrote:
> The problem is that iptables or ip6tables won't be natively able to
> send me the original destination client's address and port of
> server's answer : am I wrong ? iptables and ip6tables will form a new
> address and port destination and that'all.
Why not? (See below.)
> If so, I need a way to send the exact port of the original packet to
> the corrective program : the one which will desserve transparently
> the client called by ? ... iptables or ip6tables.
I think you will probably be best served by (I believe) the QUEUE target
that allows IPTables to pass complete packets to user space for processing.
> Does iptables and ip6tables modules can do this ? Call a extern
> program with the full packet content of the server.
I think if you use the QUEUE target you will be able to pass packets
(which ever ones you want) to your ""correction program, including all
source / destination IP and port information. With this information you
should be able to process the packets as you see fit and then generate a
new reply packet.
Grant. . . .
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-11-15 7:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-15 6:38 question on extern exec prog with iptables sebastien
2008-11-15 7:04 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox