Mailing List Archive

Raw sockets send/receive through NAT
Hi,

I have a requirement to NAT packets sent using raw sockets (
socket(AF_INET, SOCK_RAW, IPPROTO_TCP/ICMP) ). The machine I'm using
has a single interface with a 192.168.x.x address and I want to send a
packet from this machine with a 10.x.x.x source address (hence raw
sockets) and have the 10.x.x.x address NAT'd to the 192.168.x.x address.
I'm using POSTROUTING MASQUERADE'ing on eth0. I've got a couple of
questions:

1. How do I receive the returned (raw) packets *after* they have
traversed the NAT i.e. in the 10.x.x.x IP space? If I use libpcap for
example, I get the 192.168.x.x IP space packet but what I need is the
packet post-NAT with the 10.x.x.x IP address.

2. I've found the NAT works on 2.6.15 (FC5) but doesn't on 2.4.22
(RH9). Unfortunately I need to use the 2.4.22 kernel, at least for now.

Does anyone know at what point in the kernel releases this functionality
changed? And ... clutching and straws ... the reason(s) for the change
- was it just a bug or is there some deeper story?

How would I go about patching 2.4.22 to give me the raw sockets NAT that
I need (not something I even know where to start...)?

Thanks in advance!

Jon

P.S. Interestingly (?) I found that the NAT worked fine for TCP packets
but ICMP packets only worked if I added virtual interfaces and routes
for each of the 10.x.x.x addresses I wanted to send from... any ideas
why?!
Re: Raw sockets send/receive through NAT [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jon Wilson:
> Hi,
>
> I have a requirement to NAT packets sent using raw sockets (
> socket(AF_INET, SOCK_RAW, IPPROTO_TCP/ICMP) ). The machine I'm using
> has a single interface with a 192.168.x.x address and I want to send a
> packet from this machine with a 10.x.x.x source address (hence raw
> sockets) and have the 10.x.x.x address NAT'd to the 192.168.x.x address.
> I'm using POSTROUTING MASQUERADE'ing on eth0. I've got a couple of
> questions:
why do you do that ? Just for fun or something else ?
>
> 1. How do I receive the returned (raw) packets *after* they have
> traversed the NAT i.e. in the 10.x.x.x IP space? If I use libpcap for
> example, I get the 192.168.x.x IP space packet but what I need is the
> packet post-NAT with the 10.x.x.x IP address.
You can just send the package , and wait for the response package ,
the kernel netfilter will do
other things for you .
I think postrouting and prerouting will affect your package in a
transparent way .
>
> 2. I've found the NAT works on 2.6.15 (FC5) but doesn't on 2.4.22
> (RH9). Unfortunately I need to use the 2.4.22 kernel, at least for now.
>
> Does anyone know at what point in the kernel releases this functionality
> changed? And ... clutching and straws ... the reason(s) for the change
> - was it just a bug or is there some deeper story?
>
> How would I go about patching 2.4.22 to give me the raw sockets NAT that
> I need (not something I even know where to start...)?
I am sorry , I don't know the differences between the versions !
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFG9K+7tZp58UCwyMRArlFAJ0SyfgUOizusamXN8vV6PsRL6UknACgyvgT
GRNpPDOSydaBdKXB9Tbgoyo=
=L/mr
-----END PGP SIGNATURE-----
RE: Raw sockets send/receive through NAT [ In reply to ]
> > I have a requirement to NAT packets sent using raw sockets (
> > socket(AF_INET, SOCK_RAW, IPPROTO_TCP/ICMP) ). The machine I'm
using
> > has a single interface with a 192.168.x.x address and I want to send
a
> > packet from this machine with a 10.x.x.x source address (hence raw
> > sockets) and have the 10.x.x.x address NAT'd to the 192.168.x.x
address.
> > I'm using POSTROUTING MASQUERADE'ing on eth0. I've got a couple of
> > questions:
> why do you do that ? Just for fun or something else ?

:-) Not for fun! The packets are arriving from mobile devices through
proprietary h/w and s/w and I need to send them on to the local LAN /
internet (and forward responses back to the mobile devices...).

> >
> > 1. How do I receive the returned (raw) packets *after* they have
> > traversed the NAT i.e. in the 10.x.x.x IP space? If I use libpcap
for
> > example, I get the 192.168.x.x IP space packet but what I need is
the
> > packet post-NAT with the 10.x.x.x IP address.
> You can just send the package , and wait for the response package ,
> the kernel netfilter will do
> other things for you .
> I think postrouting and prerouting will affect your package in a
> transparent way .

I actually got this working today. Using raw packets I can receive all
packets and filter on destination IP address, pulling out only those
that are for the mobile devices. It turns out that using raw sockets
gives me the packets post-NAT so the IP addresses are back in the
private range (10.x.x.x in my example). Maybe this is common knowledge
but I've struggled to find it documented. If I use libpcap/tcpdump I
get packets pre-NAT and this is what I was expecting raw packets would
give me. Fortunately I was wrong :-) so I now have a solution.

Hope this is of help to someone out there!

Jon