Printable View
Hi,
I need to do the following:
I have router machine and a private LAN.
On the router m/c I will be having packets for the machines on the LAN. Actually those packets are encrypted by the source and I will have to decrypt them on the router machine before they get to the actual recepients.
So I want to capture the packets on the router machine and not let them get to the LAN pcs directly.
What iptables commands can I use and how??
Please please help me...
1. Internet ----- [ROUTER] ==== [LAN]
So obviously your router does NAT. Now letz take one example that one of your lan machines run some server that needs to receive the packets from the client. Letz assume the following setup:
Internet ----- a.b.c.d [ROUTER] 192.168.1.1======192.168.1.2:1234[LAN]
here, a.b.c.d is IP of your router's WAN interface. 192.168.1.1 is IP of router's LAN interface. 192.168.1.2 is ur LAN server's IP and the server is listening on port 1234.
Now, if a client needs to reach the server, he wud obviously connect to a.b.c.d:1234 (in case, the port on wihich the client connects and the port on which the server listens are same)
So your router does a DNAT now to re-direct the traffic to the LAN server
Till here, if I have misunderstood your problem, please correct me.Code:iptables -A -t nat PREROUTING -p <proto> --dport 1234 -j DNAT --to 192.168.1.2:1234
Hi I think u understood my problem but what exactly I want to do is that I want to block the packets at the router itself and not let them go, forwarded to the LAN server.
Quote:
Originally Posted by cyberinstru
If to satisfy this condition, then instead of DNATting the traffic to the LAN server, receive the traffic on the router with the help of a proxy server, decrypt it, send the decrypted message to the DB server running on your LAN.Quote:
I want to do is that I want to block the packets at the router itself and not let them go,
Get the response from your LAN server, encrypt it, and send it to your client.
Is this making sense?
FY/I:
The other way around to do this is, by queueing (achieved by iptables - QUEUE) the packet from kernel space to user space, process it (decryption) and then place it back in the kernel space. But this is a bit complex.
That indeed makes sence but I am really a newbie and don't know how to make use of a proxy server...Can u help me in this regard also...
Quote:
Originally Posted by cyberinstru
Also what I thought that it may be possible using something like:
-d a.b.c.d --dport xxx -j REDIRECT --to my_ip:aaaa
OR
-d a.b.c.d --dport xxx -j DNAT --to-destination my_ip:aaaa
Am I making sense??
Quote:
Originally Posted by bhupeshchawda
Which DB are you using?
R u planning to encrypt DB traffic with in-house built (custom) cipher?
Both conveys the same meaning. But in this case, you cannot process your traffic on the router, that is suppose ur req is.Quote:
Also what I thought that it may be possible using something like:
-d a.b.c.d --dport xxx -j REDIRECT --to my_ip:aaaa
OR
-d a.b.c.d --dport xxx -j DNAT --to-destination my_ip:aaaa
Actually I don't know anything about the DB server nor about the clients.
Yes I am using the DES-3 crypt algo.
Quote:
Originally Posted by cyberinstru