libipq and TCP connections

[James Newton]

Hello everyone,

I had posted a message the other day about a problem with TCP and libipq.
I believe I've figured out why I was having problems with the TCP
connection failing. It was because I wasnt changing the TCP sequence
numbers to reflect the bytes I inserted into the stream.

I've now come across another problem. This one with the firewall code. I'm
running a 2.4.16 kernel with iptables 1.2.4. The following rules are
loaded:

# These rules are to protect my box and to masquerade all my internal
# machines
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
...
<various ACCEPT's on filters INPUT table since I set the default to DROP>
...
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# These are for my packet editor program
iptables -t mangle -I PREROUTING 1 -p tcp --destination-port 80 -j QUEUE
iptables -t nat -I PREROUTING -p tcp --destination-port 80 -j REDIRECT
--to-ports 8000

My packet editor edits HTTP requests and then the firewall forwards them
into proxy program. The reason I'm doing this is to have fun and learn
more about linux's firewall, and also to make the proxy a transparent
proxy. The proxy doesnt support being transparent itself. so my packet
editer does it for the proxy. This way any proxy would work with it.

The problem is that once the NAT table redirects the connection to local
port 8000, the QUEUE rule never see's packets going from the proxy server
to the client. It see's all the packets from the client fine. The
connection works, its just libipq never sees half the packets from the
connection.

If I take out the REDIRECT, my packet editor see's both directions of the
TCP session. Its only with the REDIRECT that the server half is lost. I've
tried various other rules with a target of QUEUE to see if I could pick
the packets back up, but to no success. Does anyone know enough about the
internals of the firewall code to help me out here?

Thanks for any help that can be provided,
James Newton