nat in linux kernel

Good morning i'm Giacomo From Italy

i am writing a simple firewall in linux kernel space (2.6.11)

i'm trying to implement DNAT, and i take struct sk_buff* skb from functions
in prerouting context.

i change the destinstion port on skb.

i printk the fields in pre routing and in input: all things as expected:
original port in pre and changed port in input.

the problem is that packet seems to disappear: it does not enter the output
hook.

For example

i map port 100 to 22 and do SSH from IP2 to IP1. On IP1 I do dnat from port
100 to 22

IP2: ssh IP1 -p 100

on IP1 i get printed:

PRE: dest port 100 OK
INPUT dest port 22 OK!

but ssh seems not responding, it probably does not really receive packet!

WHY??

perhaps i miss something... perhaps it is not enough to simply rewrite a
field of sk_buff.

I thought it was automatic that since a packet enters input functions with a
certain destination port, although different from the port that was in pre
routing,
it got directed in the right way, in this case delivered to port 22 where
ssh is listening.

Do i have to recalculate checksum?? how??

PS: of course, i have prepared de-dnat on outgoing packets... but for now
they do not OUT-GO!

PPS: of course ssh is up and responds correctly if i don't mangle
destination port in pre routing.

Thanks in advance for any idea.

Giacomo, Italy

Giacomo wrote:


>
> Do i have to recalculate checksum?? how??
>
Hello,

yes, you have to. In ip_local_input() which is the next function after the
packets leaves your hook, the checksum of your IP header will be
calculated. If it won't match, the packet will be discarded. To figure out
how to calculate the checksum, parse the ip_local_input function and see
where the checksum is calculated. Do it the same way and insert this value
in the checksum field of the ip header. Alex

Giacomo wrote:

>
> Do i have to recalculate checksum?? how??
>
Ok, I just figured out that checksum is calculated in ip_rcv(), which is
called before the PRE_ROUTING hook. So, the packets propable reach the ssh
daemon. But in the TCP connection, the ssh daemon will send from port ssh
to as the source port. The sender will expect to receive an answer from
port 100. You can figure this out with tcpdump on the sending side.

Alex

yes you are right, i de dnatted connection, so sender should receive answer
to port 100.
The problem is that the answer does not come back.
I've seen this a lso with tcpdump. no coming back packets neither towards
source port 22 nor 100.
If checksum is calculated before ip_rcv(), then i think i should recalculate
it, since i alter packet after prerouting hook.

I found some hints on the web, but i'm yet not sure which is the right
way/the right functions to call.
I alter both ports (TCP layer) and address (IP).

Thanks a lot.

Giacomo.



"Alexander Harsch" <(E-Mail Removed)> ha scritto nel messaggio
news:da6q95$qma$(E-Mail Removed)...
> Giacomo wrote:
>
>>
>> Do i have to recalculate checksum?? how??
>>
> Ok, I just figured out that checksum is calculated in ip_rcv(), which is
> called before the PRE_ROUTING hook. So, the packets propable reach the ssh
> daemon. But in the TCP connection, the ssh daemon will send from port ssh
> to as the source port. The sender will expect to receive an answer from
> port 100. You can figure this out with tcpdump on the sending side.
>
> Alex
>

Giacomo wrote:
> Good morning i'm Giacomo From Italy
>
> i am writing a simple firewall in linux kernel space (2.6.11)
>
> i'm trying to implement DNAT, and i take struct sk_buff* skb from functions
> in prerouting context.
>
> i change the destinstion port on skb.
>
> i printk the fields in pre routing and in input: all things as expected:
> original port in pre and changed port in input.
>
> the problem is that packet seems to disappear: it does not enter the output
> hook.
>
> For example
>
> i map port 100 to 22 and do SSH from IP2 to IP1. On IP1 I do dnat from port
> 100 to 22
>
> IP2: ssh IP1 -p 100
>
> on IP1 i get printed:
>
> PRE: dest port 100 OK
> INPUT dest port 22 OK!
>
> but ssh seems not responding, it probably does not really receive packet!
>
> WHY??
>
> perhaps i miss something... perhaps it is not enough to simply rewrite a
> field of sk_buff.
>
> I thought it was automatic that since a packet enters input functions with a
> certain destination port, although different from the port that was in pre
> routing,
> it got directed in the right way, in this case delivered to port 22 where
> ssh is listening.
>
> Do i have to recalculate checksum?? how??
>
> PS: of course, i have prepared de-dnat on outgoing packets... but for now
> they do not OUT-GO!
>
> PPS: of course ssh is up and responds correctly if i don't mangle
> destination port in pre routing.
>
> Thanks in advance for any idea.
>
> Giacomo, Italy
>
>
hello jacopo....

have you try to sniff?what you see?

peppe

thanks joy!
Yes, i sniff and see prerouting with old ip and ports, then packets goes in
INPUT with new values... but
then i can't see any response back.

I think i must recalculate the checksum, but i don't know what are the right
functions!

Thanks a lot!

Giacomo


"joy" <joy79a_nospam_@libero.it> ha scritto nel messaggio
news:%K7ye.82$(E-Mail Removed)...
> Giacomo wrote:
>> Good morning i'm Giacomo From Italy
>>
>> i am writing a simple firewall in linux kernel space (2.6.11)
>>
>> i'm trying to implement DNAT, and i take struct sk_buff* skb from
>> functions in prerouting context.
>>
>> i change the destinstion port on skb.
>>
>> i printk the fields in pre routing and in input: all things as expected:
>> original port in pre and changed port in input.
>>
>> the problem is that packet seems to disappear: it does not enter the
>> output hook.
>>
>> For example
>>
>> i map port 100 to 22 and do SSH from IP2 to IP1. On IP1 I do dnat from
>> port 100 to 22
>>
>> IP2: ssh IP1 -p 100
>>
>> on IP1 i get printed:
>>
>> PRE: dest port 100 OK
>> INPUT dest port 22 OK!
>>
>> but ssh seems not responding, it probably does not really receive packet!
>>
>> WHY??
>>
>> perhaps i miss something... perhaps it is not enough to simply rewrite a
>> field of sk_buff.
>>
>> I thought it was automatic that since a packet enters input functions
>> with a certain destination port, although different from the port that
>> was in pre routing,
>> it got directed in the right way, in this case delivered to port 22 where
>> ssh is listening.
>>
>> Do i have to recalculate checksum?? how??
>>
>> PS: of course, i have prepared de-dnat on outgoing packets... but for now
>> they do not OUT-GO!
>>
>> PPS: of course ssh is up and responds correctly if i don't mangle
>> destination port in pre routing.
>>
>> Thanks in advance for any idea.
>>
>> Giacomo, Italy
> hello jacopo....
>
> have you try to sniff?what you see?
>
> peppe

Did you change just the port numbers or did you implemented NAT as a
separate loadable module?. Since when you do SSH from different
machine, it might be using default prot numbers I think, could you do
"netstat -a" and compare the output with default port numbers and
modified port numbers.

Giacomo wrote:

> thanks joy!
> Yes, i sniff and see prerouting with old ip and ports, then packets goes
> in INPUT with new values... but
> then i can't see any response back.
>
> I think i must recalculate the checksum, but i don't know what are the
> right functions!
>
> Thanks a lot!
>
> Giacomo
>
>
> "joy" <joy79a_nospam_@libero.it> ha scritto nel messaggio
> news:%K7ye.82$(E-Mail Removed)...
>> Giacomo wrote:
>>> Good morning i'm Giacomo From Italy
>>>
>>> i am writing a simple firewall in linux kernel space (2.6.11)
>>>
>>> i'm trying to implement DNAT, and i take struct sk_buff* skb from
>>> functions in prerouting context.
>>>
>>> i change the destinstion port on skb.
>>>
>>> i printk the fields in pre routing and in input: all things as expected:
>>> original port in pre and changed port in input.
>>>
>>> the problem is that packet seems to disappear: it does not enter the
>>> output hook.
>>>
>>> For example
>>>
>>> i map port 100 to 22 and do SSH from IP2 to IP1. On IP1 I do dnat from
>>> port 100 to 22
>>>
>>> IP2: ssh IP1 -p 100
>>>
>>> on IP1 i get printed:
>>>
>>> PRE: dest port 100 OK
>>> INPUT dest port 22 OK!
>>>
>>> but ssh seems not responding, it probably does not really receive
>>> packet!
>>>
>>> WHY??
>>>
>>> perhaps i miss something... perhaps it is not enough to simply rewrite a
>>> field of sk_buff.
>>>
>>> I thought it was automatic that since a packet enters input functions
>>> with a certain destination port, although different from the port that
>>> was in pre routing,
>>> it got directed in the right way, in this case delivered to port 22
>>> where ssh is listening.
>>>
>>> Do i have to recalculate checksum?? how??
>>>
>>> PS: of course, i have prepared de-dnat on outgoing packets... but for
>>> now they do not OUT-GO!
>>>
>>> PPS: of course ssh is up and responds correctly if i don't mangle
>>> destination port in pre routing.
>>>
>>> Thanks in advance for any idea.
>>>
>>> Giacomo, Italy
>> hello jacopo....
>>
>> have you try to sniff?what you see?
>>
>> peppe
tcp_v4_send_check() will calculate the checksum. See net/ipv4/tcp_ipv4.c
Alex

Hello joy.
I calculated tcp checksum. Now port redirection works fine.

I have still problems with address redirection. Example:

IP1: the one with firewall.
IP2 requests connection
IP3 target of redirection

rule on IP1: when receiving a connection on port 25 redirect to IP3 port 22.

On IP2 i do a ssh IP1 -p 25

On IP1 port 25 is translated into 22 and i see packet FORWARDED to IP3.

ON sniffer TCPDUMP on pc IP3 i see SYN from IP2 to IP3 (correct because of
redirection)

then Syn ack from IP3 to IP2 (addresses and ports get translated by IP1 so
IP3 should respond directly to IP2)

finally, and here the problem, i see a reset from IP2 to IP3!

What am i wrong with?

There must be something wrong: should i make every packet pass through the
firewall?

My home scenario is quite unusual: usually redirection happens from an
extern network towards a private one.
In that case, if the first packet of a connection gets Destination natted,
response goes out directly to the source address in the first packet, that
is,
the external network, through the gateway.

thanks a lot fr any suggestion.

Giacomo.




"joy" <joy79a_nospam_@libero.it> ha scritto nel messaggio
news:%K7ye.82$(E-Mail Removed)...
> Giacomo wrote:
>> Good morning i'm Giacomo From Italy
>>
>> i am writing a simple firewall in linux kernel space (2.6.11)
>>
>> i'm trying to implement DNAT, and i take struct sk_buff* skb from
>> functions in prerouting context.
>>
>> i change the destinstion port on skb.
>>
>> i printk the fields in pre routing and in input: all things as expected:
>> original port in pre and changed port in input.
>>
>> the problem is that packet seems to disappear: it does not enter the
>> output hook.
>>
>> For example
>>
>> i map port 100 to 22 and do SSH from IP2 to IP1. On IP1 I do dnat from
>> port 100 to 22
>>
>> IP2: ssh IP1 -p 100
>>
>> on IP1 i get printed:
>>
>> PRE: dest port 100 OK
>> INPUT dest port 22 OK!
>>
>> but ssh seems not responding, it probably does not really receive packet!
>>
>> WHY??
>>
>> perhaps i miss something... perhaps it is not enough to simply rewrite a
>> field of sk_buff.
>>
>> I thought it was automatic that since a packet enters input functions
>> with a certain destination port, although different from the port that
>> was in pre routing,
>> it got directed in the right way, in this case delivered to port 22 where
>> ssh is listening.
>>
>> Do i have to recalculate checksum?? how??
>>
>> PS: of course, i have prepared de-dnat on outgoing packets... but for now
>> they do not OUT-GO!
>>
>> PPS: of course ssh is up and responds correctly if i don't mangle
>> destination port in pre routing.
>>
>> Thanks in advance for any idea.
>>
>> Giacomo, Italy
> hello jacopo....
>
> have you try to sniff?what you see?
>
> peppe

Thanks i understood i made a mistake!
Thanks a lot!

Giacomo


"Giacomo" <(E-Mail Removed)> ha scritto nel messaggio
news:hahye.3240$%(E-Mail Removed)...
> Hello joy.
> I calculated tcp checksum. Now port redirection works fine.
>
> I have still problems with address redirection. Example:
>
> IP1: the one with firewall.
> IP2 requests connection
> IP3 target of redirection
>
> rule on IP1: when receiving a connection on port 25 redirect to IP3 port
> 22.
>
> On IP2 i do a ssh IP1 -p 25
>
> On IP1 port 25 is translated into 22 and i see packet FORWARDED to IP3.
>
> ON sniffer TCPDUMP on pc IP3 i see SYN from IP2 to IP3 (correct because of
> redirection)
>
> then Syn ack from IP3 to IP2 (addresses and ports get translated by IP1
> so IP3 should respond directly to IP2)
>
> finally, and here the problem, i see a reset from IP2 to IP3!
>
> What am i wrong with?
>
> There must be something wrong: should i make every packet pass through the
> firewall?
>
> My home scenario is quite unusual: usually redirection happens from an
> extern network towards a private one.
> In that case, if the first packet of a connection gets Destination natted,
> response goes out directly to the source address in the first packet, that
> is,
> the external network, through the gateway.
>
> thanks a lot fr any suggestion.
>
> Giacomo.
>
>
>
>
> "joy" <joy79a_nospam_@libero.it> ha scritto nel messaggio
> news:%K7ye.82$(E-Mail Removed)...
>> Giacomo wrote:
>>> Good morning i'm Giacomo From Italy
>>>
>>> i am writing a simple firewall in linux kernel space (2.6.11)
>>>
>>> i'm trying to implement DNAT, and i take struct sk_buff* skb from
>>> functions in prerouting context.
>>>
>>> i change the destinstion port on skb.
>>>
>>> i printk the fields in pre routing and in input: all things as expected:
>>> original port in pre and changed port in input.
>>>
>>> the problem is that packet seems to disappear: it does not enter the
>>> output hook.
>>>
>>> For example
>>>
>>> i map port 100 to 22 and do SSH from IP2 to IP1. On IP1 I do dnat from
>>> port 100 to 22
>>>
>>> IP2: ssh IP1 -p 100
>>>
>>> on IP1 i get printed:
>>>
>>> PRE: dest port 100 OK
>>> INPUT dest port 22 OK!
>>>
>>> but ssh seems not responding, it probably does not really receive
>>> packet!
>>>
>>> WHY??
>>>
>>> perhaps i miss something... perhaps it is not enough to simply rewrite a
>>> field of sk_buff.
>>>
>>> I thought it was automatic that since a packet enters input functions
>>> with a certain destination port, although different from the port that
>>> was in pre routing,
>>> it got directed in the right way, in this case delivered to port 22
>>> where ssh is listening.
>>>
>>> Do i have to recalculate checksum?? how??
>>>
>>> PS: of course, i have prepared de-dnat on outgoing packets... but for
>>> now they do not OUT-GO!
>>>
>>> PPS: of course ssh is up and responds correctly if i don't mangle
>>> destination port in pre routing.
>>>
>>> Thanks in advance for any idea.
>>>
>>> Giacomo, Italy
>> hello jacopo....
>>
>> have you try to sniff?what you see?
>>
>> peppe
>
>