netfilter forward hook point to modify packets

566 views Asked by At

I have two machines A and B, B can not access Internet directly. B needs to access the network via A.

There are two NIC eth0 and eht1 on A.

eth0'IP is 10.0.2.15, eth1's IP is 192.168.56.101, B'gateway is the A'eth1 NIC IP.

After setting up the iptables policy on machine A, B can access the Internet.

Now I hope to intercept packets from machine B on machine A, and modify the packets. My approach is as follows:

  1. After the three-way handshake, B visit Web site in the browser and the server returns the HTTP/1.1 200 OK, find title tag in HTML.
  2. Use skb_tailroom() function to obtain tailroom size.
  3. If the insert length of the contents less than tailroom, call skb_put() function expanding skb.
  4. Insert the contents after the title tag, and modify the Content-Length length.
  5. recalculated IP and TCP checksum.

Problems: Machine B received the modified packets from machine A and discarded it, and machine A retransmitted the modified packets.

I suspect the problem is caused by the checksum calculation.

P.S. I had used the same algorithm to calculate the checksum to modify packets directly on machine A, it works. Modified packets from machine B on machine A, it does not work.

Sorry for my English.

1

There are 1 answers

3
Nithin On

Since it is TCP, Seq # and Ack # numbers matter and if you are editing the packet data without editing Seq# & Ack #, it doesn't work.