[tproxy] UDP tproxy

KOVACS Krisztian hidden@balabit.hu
Fri, 15 Oct 2004 12:47:07 +0200


2004-10-14, cs keltezéssel 23:45-kor Javier Govea ezt írta:
> I've been googling for some information about using tproxy for UDP traffic but I am still
> a bit confiused. I hope you guys can help me out.
> I want to intercept, at the application layer with a C written program, all UDP traffic,
> and then obtain the final destionation IP address and port. 
> So, please correct me if I am wrong, I need two rules:
> iptables -t nat -A PREROUTING -j DNAT --to-dest 
> iptables -t tproxy -A PREROUTING -j TPROXY --on-port 1025

  You don't need the DNAT rule, only the TPROXY one. You can also
specify a destination IP to TPROXY with --on-ip, if you omit that
argument it will use the address of the interface the packet came in.

>   /* QUESTION 1:
>    *   Do I need to use getsockopt or setsockopt in here???
>    *   If so, what exactly should I pass as paramenters to getsockopt or setsockopt
>    *   Krisztian Kovacs, in a message posted in this list on 07 Jul 2004, mentions 
>    *   that I need to use getsockopt, but I'm not sure about the 
>    *   paramenters I need to pass, can somebody please clarify this point?  
>    */

  Yes, you have to set the RECVORIGADDRS socket option with setsockopt()
in order to receive the original address with recvmsg().

>     /* QUESTION 2:
>      *   The same message posted by Krisztian Kovacs mentions that I need to use
>      *   recvmsg and that the original destination IP address and port is the
>      *   acilliary data. Is the following code correct??? Is that how I suppose to
>      *   extract the payload, original destination IP address and port 
>      *   from the ancilliary data?
>      */

  You got the msg setup right, but do not process the received msg
appropriately. Read below.

>      	/* QUESTION 3:
> 	 *   Is the payload suppose to be in cdata?
>          */
>         void *cdata = CMSG_DATA(cmsg);

  No, it's in msgh.msg_iov.iov_base (buffer in your case).

>         /* QUESTION 4:
>          *    The original destination IP address and port are in msgh.msg_name???
> 	 */
> 	sockaddr_in *originalDst = (sockaddr_in *)(msgh.msg_name);

  No, it's in CMSG_DATA(cmsg).

> 	/* Original destination IP address in originalDst->sin_addr.s_addr and
>          * original destination port in originalDst->sin_port 
>          * Does any of this make any sense???
>          */

  Yes. But please take a look at the example code, redirect-udp-recv.c
is _exactly_ you're looking for.

   Krisztian KOVACS