ip_local_deliver related query

Vasantha Kumar Puttappa vasanthakumar at iitb.ac.in
Sat Feb 4 07:21:31 CET 2006


Hi Patrick,
 Thanks for your valueable feedback. I have one more thing to clarify.
 ( Sorry in the previous I made a great mistake, I wanted to change
destination IP address of the packet and not the source IP address).

 ( I am referring to first figure in the following link
http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html)

 If I am not wrong, NAT is being in done in PREROUTING AND POST-ROUTING
stage. But what I want to do is to take packets in FILTER INPUT stage and
change the destination IP address ( I don't want to create any SNAT
corresponding to that) and give it to local process.
(Assume that a socket waiting with that new destination address)

 So, will there be any problem ?


Also, Let me tell you what I am planning to do..

1. Create a TCP socket(connection) with machine ip address X
2. Now I am changing machine IP address to Y
3. Now capture the incoming packets coming to the machine  corresponding
to this TCP connection and replace new IP address Y with X.
  ( Assume that somehow we know which packet belongs to which session)

 So, will socket works fine after doing Destination IP address translation
or will there be any problem as soon as IP address changes ?

Please give me valueable feedback

--------
Vasanth
IIT Bombau





> Vasantha Kumar Puttappa wrote:
>> Hi,
>>
>> ( I am assuming packet arrival to the local host)
>>
>>   As far as I know Netfilter hook  for "INPUT" chain is called just
>> before
>> the ip_local_deliver() function is called. If I am not wrong,
>> ip_local_deliver function will remove the IP header and gives the packet
>> to appropriate function in transport layer ( TCP or UDP or ICMP
>> Process).
>>
>>
>>  What I am want to do is to change the source IP address of the IP
>> packet
>> just before calling the ip_local_deliver() using IPtables.
>>
>> So I want know, will this go smoothly assuming there is a socket waiting
>> for this kind of packet(packet with new source IP address) or will
>> something go wrong ?
>
> This is exactly what NAT does. If you use DNAT in LOCAL_OUT, a SNAT
> mapping is also set up for LOCAL_IN. The socket lookup is performed
> later in the individual protocols, so it will use the rewritten
> source address.
>





More information about the netfilter-devel mailing list