Get source IP of packet through PREROUTING CHAIN

Get source IP of packet through PREROUTING CHAIN

[Elison Niven]

Hi List,

I have two interfaces eth0 and eth1 on my machine.

My machine has eth0 = 192.168.1.100 and eth1 = 172.16.1.100

The scenario is that I will be receiving packets at port 10000 on eth0
of my machine. I do not know from which IP the packets are being
received (Can be any machine - I do not need to apply a source address
matching rule).

I need to forward these packets to another machine B that I do so with
this rule:

iptables -t nat -I PREROUTING -i eth0 -p udp \
       --dport 10000 -j DNAT --to-destination 172.16.1.200

Note that I have not added any -s option to the rule for source
address matching.

This also works properly. Now I need to _know_ the source IP and
source Port of the packets that are being received at port 10000 on
eth0. (For example to send some data back to the _same_machine_ that
is sending packets at port 10000)

How do I achieve this?

Best Regards,
Elison

Re: Get source IP of packet through PREROUTING CHAIN

[Gáspár Lajos]

Hi Elison,

The conntrack subsystem knows about every connection.
So maybe you need to check that.

Elison Niven írta:
> Hi List,
>
> I have two interfaces eth0 and eth1 on my machine.
>
> My machine has eth0 = 192.168.1.100 and eth1 = 172.16.1.100
>
> The scenario is that I will be receiving packets at port 10000 on eth0
> of my machine. I do not know from which IP the packets are being
> received (Can be any machine - I do not need to apply a source address
> matching rule).
>   
You may not know the source IP, but your machine will, because it sees 
the packets coming from eth0's network.
> I need to forward these packets to another machine B that I do so with
> this rule:
>
> iptables -t nat -I PREROUTING -i eth0 -p udp \
>        --dport 10000 -j DNAT --to-destination 172.16.1.200
>
> Note that I have not added any -s option to the rule for source
> address matching.
>
> This also works properly. Now I need to _know_ the source IP and
> source Port of the packets that are being received at port 10000 on
> eth0. (For example to send some data back to the _same_machine_ that
> is sending packets at port 10000)
>   
Again. If the conntrack (in your machine) knows the source IP/port 
numbers then it will automagically replace them on the backroute.
It may be also a problem if your response packets are not SNAT-ed. (In 
the case the sender machines sending the packets directly to your machine.)
> How do I achieve this?
>
> Best Regards,
> Elison
>   
Swifty

Re: Get source IP of packet through PREROUTING CHAIN

[Elison Niven]

Hi,

What I need is to be able to know the source IP and port of the
packets received at a particular port (10000 here) in user space
through a C language interface or may be can I read somewhere from the
proc directory?

For example,

Machine X <------>| Network |<------->(eth0) My Machine (eth1) <----->Machine A
Machine Y <------>|             |

Machine X - 192.168.1.13
Machine Y - 192.168.1.14

My Machine eth0 - 192.168.1.100
My Machine eth1 - 172.16.1.100

Machine A - 172.16.1.200 is a slave device controlled by my machine.

My machine receives some packets on port 10000 on eth0. Its job is to
simply forward them to Machine A. It does so by

iptables -t nat -I PREROUTING -i eth0 -p udp \
      --dport 10000 -j DNAT --to-destination 172.16.1.200

Machine A is configured to send packets to Machine X. My machine is
default gateway for Machine A.

I do masquerading on eth0 and forwarding is enabled - eth1 to eth0.

Now I need that in case Machine Y is sending on port 10000 instead of
Machine X, I should have the *choice* whether to configure Machine A
continue sending to X or instead now configure it to send to Machine
Y.

Hope I am clear,
Elison

2009/8/11 Gáspár Lajos <swifty@freemail.hu>:
> Hi Elison,
>
> The conntrack subsystem knows about every connection.
> So maybe you need to check that.
>
> Elison Niven írta:
>>
>> Hi List,
>>
>> I have two interfaces eth0 and eth1 on my machine.
>>
>> My machine has eth0 = 192.168.1.100 and eth1 = 172.16.1.100
>>
>> The scenario is that I will be receiving packets at port 10000 on eth0
>> of my machine. I do not know from which IP the packets are being
>> received (Can be any machine - I do not need to apply a source address
>> matching rule).
>>
>
> You may not know the source IP, but your machine will, because it sees the
> packets coming from eth0's network.
>>
>> I need to forward these packets to another machine B that I do so with
>> this rule:
>>
>> iptables -t nat -I PREROUTING -i eth0 -p udp \
>>       --dport 10000 -j DNAT --to-destination 172.16.1.200
>>
>> Note that I have not added any -s option to the rule for source
>> address matching.
>>
>> This also works properly. Now I need to _know_ the source IP and
>> source Port of the packets that are being received at port 10000 on
>> eth0. (For example to send some data back to the _same_machine_ that
>> is sending packets at port 10000)
>>
>
> Again. If the conntrack (in your machine) knows the source IP/port numbers
> then it will automagically replace them on the backroute.
> It may be also a problem if your response packets are not SNAT-ed. (In the
> case the sender machines sending the packets directly to your machine.)
>>
>> How do I achieve this?
>>
>> Best Regards,
>> Elison
>>
>
> Swifty
>

Re: Get source IP of packet through PREROUTING CHAIN

[Christoph A.]

[-- Attachment #1: Type: text/plain, Size: 373 bytes --]

On 11.08.2009 15:37, Elison Niven wrote:
> Hi,
> 
> What I need is to be able to know the source IP and port of the
> packets received at a particular port (10000 here) in user space
> through a C language interface or may be can I read somewhere from the
> proc directory?

I guess
/proc/net/nf_conntrack
will be handy for you.

kind regards,
Christoph A.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]