Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 23
Hi, I need to do the following: I have router machine and a private LAN. On the router m/c I will be having packets for the machines on the LAN. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34

    Question Router and iptables


    Hi,
    I need to do the following:

    I have router machine and a private LAN.
    On the router m/c I will be having packets for the machines on the LAN. Actually those packets are encrypted by the source and I will have to decrypt them on the router machine before they get to the actual recepients.
    So I want to capture the packets on the router machine and not let them get to the LAN pcs directly.
    What iptables commands can I use and how??
    Please please help me...

  2. #2
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    1. Internet ----- [ROUTER] ==== [LAN]
    So obviously your router does NAT. Now letz take one example that one of your lan machines run some server that needs to receive the packets from the client. Letz assume the following setup:

    Internet ----- a.b.c.d [ROUTER] 192.168.1.1======192.168.1.2:1234[LAN]

    here, a.b.c.d is IP of your router's WAN interface. 192.168.1.1 is IP of router's LAN interface. 192.168.1.2 is ur LAN server's IP and the server is listening on port 1234.

    Now, if a client needs to reach the server, he wud obviously connect to a.b.c.d:1234 (in case, the port on wihich the client connects and the port on which the server listens are same)

    So your router does a DNAT now to re-direct the traffic to the LAN server

    Code:
    iptables -A -t nat PREROUTING -p <proto> --dport 1234 -j DNAT --to 192.168.1.2:1234
    Till here, if I have misunderstood your problem, please correct me.
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  3. #3
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34
    Hi I think u understood my problem but what exactly I want to do is that I want to block the packets at the router itself and not let them go, forwarded to the LAN server.


    Quote Originally Posted by cyberinstru
    1. Internet ----- [ROUTER] ==== [LAN]
    So obviously your router does NAT. Now letz take one example that one of your lan machines run some server that needs to receive the packets from the client. Letz assume the following setup:

    Internet ----- a.b.c.d [ROUTER] 192.168.1.1======192.168.1.2:1234[LAN]

    here, a.b.c.d is IP of your router's WAN interface. 192.168.1.1 is IP of router's LAN interface. 192.168.1.2 is ur LAN server's IP and the server is listening on port 1234.

    Now, if a client needs to reach the server, he wud obviously connect to a.b.c.d:1234 (in case, the port on wihich the client connects and the port on which the server listens are same)

    So your router does a DNAT now to re-direct the traffic to the LAN server

    Code:
    iptables -A -t nat PREROUTING -p <proto> --dport 1234 -j DNAT --to 192.168.1.2:1234
    Till here, if I have misunderstood your problem, please correct me.

  4. #4
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    I want to do is that I want to block the packets at the router itself and not let them go,
    If to satisfy this condition, then instead of DNATting the traffic to the LAN server, receive the traffic on the router with the help of a proxy server, decrypt it, send the decrypted message to the DB server running on your LAN.

    Get the response from your LAN server, encrypt it, and send it to your client.

    Is this making sense?
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  5. #5
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    FY/I:

    The other way around to do this is, by queueing (achieved by iptables - QUEUE) the packet from kernel space to user space, process it (decryption) and then place it back in the kernel space. But this is a bit complex.
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  6. #6
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34
    That indeed makes sence but I am really a newbie and don't know how to make use of a proxy server...Can u help me in this regard also...

    Quote Originally Posted by cyberinstru
    If to satisfy this condition, then instead of DNATting the traffic to the LAN server, receive the traffic on the router with the help of a proxy server, decrypt it, send the decrypted message to the DB server running on your LAN.

    Get the response from your LAN server, encrypt it, and send it to your client.

    Is this making sense?

  7. #7
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34
    Also what I thought that it may be possible using something like:

    -d a.b.c.d --dport xxx -j REDIRECT --to my_ip:aaaa

    OR

    -d a.b.c.d --dport xxx -j DNAT --to-destination my_ip:aaaa

    Am I making sense??

    Quote Originally Posted by bhupeshchawda
    That indeed makes sence but I am really a newbie and don't know how to make use of a proxy server...Can u help me in this regard also...

  8. #8
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    Which DB are you using?

    R u planning to encrypt DB traffic with in-house built (custom) cipher?
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  9. #9
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    Also what I thought that it may be possible using something like:

    -d a.b.c.d --dport xxx -j REDIRECT --to my_ip:aaaa

    OR

    -d a.b.c.d --dport xxx -j DNAT --to-destination my_ip:aaaa
    Both conveys the same meaning. But in this case, you cannot process your traffic on the router, that is suppose ur req is.
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  10. #10
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34
    Actually I don't know anything about the DB server nor about the clients.
    Yes I am using the DES-3 crypt algo.

    Quote Originally Posted by cyberinstru
    Which DB are you using?

    R u planning to encrypt DB traffic with in-house built (custom) cipher?

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •