Hello,
Interface 1 Interface 2
9090(encrypted) --------- 9000(decrypted)
------>-------|Fire wall|--->-----
------>-------| |--->-----
9000(unencrypted)--------- 9000(unencrypted)
I need to encrypt/decrypt and port translate traffic coming in on a
particular port (9090).
I first perform decryption by queuing packets to a userspace program
with the following iptables rule
(a) iptables -t mangle -A PREROUTING -p udp --dport 9090 -j NFQUEUE
To achieve port translation i use the REDIRECT target as shown below
(b) iptables -t nat -A PREROUTING -p udp --dport 9090 -j REDIRECT
--to-port 9000
The iptables rule with the REDIRECT target ensures that traffic on port
9000 on Interface 2 gets port translated to port 9090 while going out
through Interface 1, only if they belong to a connection that was port
translated from 9090 to 9000 while coming in on Interface 1.
I would like to know how to construct a rule to intercept packets that
belong to the port translated stream, but now are coming from Interface
2 and would like to encrypt them before they go out on Interface 1 ?
There are other connections that use port 9000, however these do not
belong to the port translated stream.
Will the following rule work ?
iptables -t mangle -A POSTROUTING -p udp --sport 9090 -j NFQUEUE
i.e. Will REDIRECT, ensure that the source port is rewritten from 9000
to 9090 by the time the packet hits mangle POSTROUTING ?
Thanks in advance,
Vikram.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
