Re: nat in linux kernel

From: Giacomo (jacum_at_libero.it)
Date: 07/04/05 

Date: Mon, 04 Jul 2005 10:11:36 GMT

thanks joy!
Yes, i sniff and see prerouting with old ip and ports, then packets goes in
INPUT with new values... but
then i can't see any response back.

I think i must recalculate the checksum, but i don't know what are the right
functions!

Thanks a lot!

Giacomo

"joy" <joy79a_nospam_@libero.it> ha scritto nel messaggio
news:%K7ye.82$b93.36@tornado.fastwebnet.it...
> Giacomo wrote:
>> Good morning i'm Giacomo From Italy
>>
>> i am writing a simple firewall in linux kernel space (2.6.11)
>>
>> i'm trying to implement DNAT, and i take struct sk_buff* skb from
>> functions in prerouting context.
>>
>> i change the destinstion port on skb.
>>
>> i printk the fields in pre routing and in input: all things as expected:
>> original port in pre and changed port in input.
>>
>> the problem is that packet seems to disappear: it does not enter the
>> output hook.
>>
>> For example
>>
>> i map port 100 to 22 and do SSH from IP2 to IP1. On IP1 I do dnat from
>> port 100 to 22
>>
>> IP2: ssh IP1 -p 100
>>
>> on IP1 i get printed:
>>
>> PRE: dest port 100 OK
>> INPUT dest port 22 OK!
>>
>> but ssh seems not responding, it probably does not really receive packet!
>>
>> WHY??
>>
>> perhaps i miss something... perhaps it is not enough to simply rewrite a
>> field of sk_buff.
>>
>> I thought it was automatic that since a packet enters input functions
>> with a certain destination port, although different from the port that
>> was in pre routing,
>> it got directed in the right way, in this case delivered to port 22 where
>> ssh is listening.
>>
>> Do i have to recalculate checksum?? how??
>>
>> PS: of course, i have prepared de-dnat on outgoing packets... but for now
>> they do not OUT-GO!
>>
>> PPS: of course ssh is up and responds correctly if i don't mangle
>> destination port in pre routing.
>>
>> Thanks in advance for any idea.
>>
>> Giacomo, Italy
> hello jacopo....
>
> have you try to sniff?what you see?
>
> peppe

Relevant Pages

  • Re: non-random IP IDs
    ... > make it somewhat harder to insert bogus fragments into a packet stream. ... For example, if you have a low volume host with one port open, you can ... You never see the response, or lack thereof, to the ...
    (FreeBSD-Security)
  • Re: Strange problem receiving packets on a socket
    ... receive a response in return: ... Code to create a packet of data goes here ... packet to a port on my computer I seem to ... the network layer and wireshark shows I get an ACK/RST as expected I ...
    (microsoft.public.dotnet.languages.csharp)
  • PATCH: Remove file riowinif.h from rio driver (unused file)
    ... -/* The RUP (Remote Unit Port) structure relates to the Remote Terminal Adapters ... - CONFIG is sent from the driver to configure an already opened port. ... - Packet structure is same as OPEN. ... - of the specified port's RTA address space. ...
    (Linux-Kernel)
  • Re: General questions about Sockets
    ... > could I push it before I see the network slowing down and/or errors? ... Nagle/Delayed ACK interaction but you could confirm it with a packet ... > I can setup any port in my registry, but what would be the 'default' one I ... Google could confirm it. ...
    (microsoft.public.win32.programmer.networks)
  • Re: File Transfer and WinSock
    ... I have message types defined and a packet protocol that I use which may be ... You need to bind the winsock control to some port. ... this.Parent.SendConfirmation(lcMessageID, lnPacketNumber) ... SEEK lcMessageID + STR ...
    (microsoft.public.fox.programmer.exchange)