Thank you very much for your comments. I did all modifications you mentioned and I checked redirect-udp-recv.c and now my C program works without any problem. I have only one last question, it is just curiosity. redirect-udp-recv.c has the following lines of code. /* check tproxy version */ itp.op = TPROXY_VERSION; itp.v.version = 0x02000000; if (setsockopt(sock, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { perror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_VERSION)"); return -1; } Is this part optional? What happen if I set the wrong version? Does it mean that my program works only a specific tproxy version? Thanks a lot again Xavier On Oct 15, KOVACS Krisztian <hidden@balabit.hu> wrote:
Hi,
2004-10-14, cs keltez�ssel 23:45-kor Javier Govea ezt �rta:
I've been googling for some information about using tproxy for UDP traffic but I am still a bit confiused. I hope you guys can help me out.
I want to intercept, at the application layer with a C written program, all UDP traffic, and then obtain the final destionation IP address and port.
So, please correct me if I am wrong, I need two rules:
iptables -t nat -A PREROUTING -j DNAT --to-dest 192.168.1.10 iptables -t tproxy -A PREROUTING -j TPROXY --on-port 1025
You don't need the DNAT rule, only the TPROXY one. You can also specify a destination IP to TPROXY with --on-ip, if you omit that argument it will use the address of the interface the packet came in.
/* QUESTION 1: * Do I need to use getsockopt or setsockopt in here??? * If so, what exactly should I pass as paramenters to getsockopt or setsockopt * Krisztian Kovacs, in a message posted in this list on 07 Jul 2004, mentions * that I need to use getsockopt, but I'm not sure about the * paramenters I need to pass, can somebody please clarify this point? */
Yes, you have to set the RECVORIGADDRS socket option with setsockopt() in order to receive the original address with recvmsg().
/* QUESTION 2: * The same message posted by Krisztian Kovacs mentions that I need to use * recvmsg and that the original destination IP address and port is the * acilliary data. Is the following code correct??? Is that how I suppose to * extract the payload, original destination IP address and port * from the ancilliary data? */
You got the msg setup right, but do not process the received msg appropriately. Read below.
/* QUESTION 3: * Is the payload suppose to be in cdata? */ void *cdata = CMSG_DATA(cmsg);
No, it's in msgh.msg_iov.iov_base (buffer in your case).
/* QUESTION 4: * The original destination IP address and port are in msgh.msg_name??? */ sockaddr_in *originalDst = (sockaddr_in *)(msgh.msg_name);
No, it's in CMSG_DATA(cmsg).
/* Original destination IP address in originalDst->sin_addr.s_addr and * original destination port in originalDst->sin_port * Does any of this make any sense??? */
Yes. But please take a look at the example code, redirect-udp-recv.c is _exactly_ you're looking for.
-- Regards, Krisztian KOVACS