On Sat, 2010-10-23 at 00:09 -0500, SM wrote:
Yes, it is!! Awesome. From the README.txt file, I was of the opinion that the kernel needs to be patched and compiled.
I have the following scenario:
All UDP packets coming in and going out of port 5060 need to be redirected to port 56789. An application running on port 56789 must parse them, modify them and send them to their intended destinations. I must take care that packets coming from remote machine to local machine:5060 are FIRST received at local machine:56789, and then, after modification, sent to local machine:5060 with a spoofed header suggesting that it came from remote machine.
The incoming packets can be handled by this rule: iptables -t mangle -A PREROUTING -p udp --dport 5060 -j TPROXY --on-port 56789 --tproxy-mark 0x1/0x1
How should I handle the outgoing packets for 5060? Mangle table's OUTPUT rule does not take tproxy as a target.
in order to spoof UDP source addresses in packets towards the localhost, you don't need a TPROXY target. you need to modify the proxy to set the setsockopt IP_TRANSPARENT, bind the socket towards the local host to the address of the client and then use sendto() Also, please note that this will only work if your traffic is unidirectional (e.g. you only send a frame and never receive one) because the response packets generated by the local stack will not be redirected by tproxy, thus they'll go directly to the original client. Frames sent to the server & redirected by TPROXY: client -> proxy -> local server Reverse direction, frames sent by the server to the client: local server -> client E.g. the proxy will never receive these frames. This is why TCP will _not_ work towards the local host. If you want that, you need to use NAT, which reroutes traffic properly. Also, although TPROXY is compiled into Ubuntu 10.04, but we've just posted UDP fixes to mainline (see netfilter-devel archives). You may or may not be affected, I just wanted to tell that there are fixes not yet in your kernel. -- Bazsi