|
Is there a way to combine the QUEUE functionality
and MASQUERADE to do "conditional" masquerading based the results of inspecting
a packet in userspace? I want to write a program using ip_queue that looks at a
packet and is able to allow it to be handled locally, or pass it to MASQ. I have
a program that intercepts certain packets passed onto the QUEUE mechanism. It is
able to tell me if the packet is acceptable, but all I know to do at this point
is to just pass it back with NF_ACCEPT.
Here is a brief description about what is happening
now:
* On my .125 box, I use a web browser to go to http://192.168.0.200
*At this point, I see the index page
on the .200 server.
* Then I do this .... iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.201 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE * At this point, all connections coming in on eth0 to port 80 are MASQ'd to 192168.0.201. * On my .125 box, I use a web browser to go to http://192.168.0.200 and see the index page on my .201 box. * Then I do this. iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -i eth0 -j QUEUE * Then I run my QUEUE program which just prints info about the packet then does an NF_ACCEPT. * At this point, nothing gets forwarded, and I see the .200 index page. What is happening in QUEUE that is causing me to bypass MASQ?
Iman Mayes |
- Re: QUEUE + MASQ Iman Mayes
- Re: QUEUE + MASQ Henrik Nordstrom
