Router and iptables

[bhupeshchawda]

Hi,
I need to do the following:

I have router machine and a private LAN.
On the router m/c I will be having packets for the machines on the LAN. Actually those packets are encrypted by the source and I will have to decrypt them on the router machine before they get to the actual recepients.
So I want to capture the packets on the router machine and not let them get to the LAN pcs directly.
What iptables commands can I use and how??
Please please help me...

[cyberinstru]

1. Internet ----- [ROUTER] ==== [LAN]
So obviously your router does NAT. Now letz take one example that one of your lan machines run some server that needs to receive the packets from the client. Letz assume the following setup:

Internet ----- a.b.c.d [ROUTER] 192.168.1.1======192.168.1.2:1234[LAN]

here, a.b.c.d is IP of your router's WAN interface. 192.168.1.1 is IP of router's LAN interface. 192.168.1.2 is ur LAN server's IP and the server is listening on port 1234.

Now, if a client needs to reach the server, he wud obviously connect to a.b.c.d:1234 (in case, the port on wihich the client connects and the port on which the server listens are same)

So your router does a DNAT now to re-direct the traffic to the LAN server

Code:

iptables -A -t nat PREROUTING -p <proto> --dport 1234 -j DNAT --to 192.168.1.2:1234

Till here, if I have misunderstood your problem, please correct me.

[bhupeshchawda]

Hi I think u understood my problem but what exactly I want to do is that I want to block the packets at the router itself and not let them go, forwarded to the LAN server.

1. Internet ----- [ROUTER] ==== [LAN]
So obviously your router does NAT. Now letz take one example that one of your lan machines run some server that needs to receive the packets from the client. Letz assume the following setup:

Internet ----- a.b.c.d [ROUTER] 192.168.1.1======192.168.1.2:1234[LAN]

here, a.b.c.d is IP of your router's WAN interface. 192.168.1.1 is IP of router's LAN interface. 192.168.1.2 is ur LAN server's IP and the server is listening on port 1234.

Now, if a client needs to reach the server, he wud obviously connect to a.b.c.d:1234 (in case, the port on wihich the client connects and the port on which the server listens are same)

So your router does a DNAT now to re-direct the traffic to the LAN server

Code:

iptables -A -t nat PREROUTING -p <proto> --dport 1234 -j DNAT --to 192.168.1.2:1234

Till here, if I have misunderstood your problem, please correct me.

[cyberinstru]

I want to do is that I want to block the packets at the router itself and not let them go,

If to satisfy this condition, then instead of DNATting the traffic to the LAN server, receive the traffic on the router with the help of a proxy server, decrypt it, send the decrypted message to the DB server running on your LAN.

Get the response from your LAN server, encrypt it, and send it to your client.

Is this making sense?

[cyberinstru]

FY/I:

The other way around to do this is, by queueing (achieved by iptables - QUEUE) the packet from kernel space to user space, process it (decryption) and then place it back in the kernel space. But this is a bit complex.

[bhupeshchawda]

That indeed makes sence but I am really a newbie and don't know how to make use of a proxy server...Can u help me in this regard also...

If to satisfy this condition, then instead of DNATting the traffic to the LAN server, receive the traffic on the router with the help of a proxy server, decrypt it, send the decrypted message to the DB server running on your LAN.

Get the response from your LAN server, encrypt it, and send it to your client.

Is this making sense?

[bhupeshchawda]

Also what I thought that it may be possible using something like:

-d a.b.c.d --dport xxx -j REDIRECT --to my_ip:aaaa

OR

-d a.b.c.d --dport xxx -j DNAT --to-destination my_ip:aaaa

Am I making sense??

That indeed makes sence but I am really a newbie and don't know how to make use of a proxy server...Can u help me in this regard also...

[cyberinstru]

Which DB are you using?

R u planning to encrypt DB traffic with in-house built (custom) cipher?

[cyberinstru]

Also what I thought that it may be possible using something like:

-d a.b.c.d --dport xxx -j REDIRECT --to my_ip:aaaa

OR

-d a.b.c.d --dport xxx -j DNAT --to-destination my_ip:aaaa

Both conveys the same meaning. But in this case, you cannot process your traffic on the router, that is suppose ur req is.

[bhupeshchawda]

Actually I don't know anything about the DB server nor about the clients.
Yes I am using the DES-3 crypt algo.

Which DB are you using?

R u planning to encrypt DB traffic with in-house built (custom) cipher?