0

In my modified OpenVPN server process, as an intermediate node, I'd need to embed my custom 3 bytes data in the header of every IP packet and then in the same machine (after going through tun) filter those packets by those custom 3 bytes.

Where's the best place in IPv4 header to put my 3 bytes? And how to retrieve it using iptables? Please note that I won't need those 3 bytes anymore after being processed by iptables.

frogatto
  • 103
  • 4
  • _Every_ IP packet? What's the point of changing the packet, then, if you match _all_? You can use the [iptables mark](https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html) option (if you don't **have** to change the packet itself), for example. Or try out [libnetfilter_queue](https://netfilter.org/projects/libnetfilter_queue/index.html) – Lenniey Aug 14 '19 at 11:47
  • @Lenniey I rephrased the question. In server side OpenVPN process I need to tag every IP packets with 3 bytes data and using iptables retrieve the tag and do an appropriate action based on this tag. – frogatto Aug 14 '19 at 12:07
  • I still don't get why you can't just filter for `source-interface tun`, if you embed the bytes in every OpenVPN packet. Maybe this is an [XY problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem)? To filter for specific "bytes" you could use the [u32 module](https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.21), maybe? – Lenniey Aug 14 '19 at 12:16
  • @Lenniey Those "bytes" are not same for all packets, so I need to drop the packets tagged with some of them, something like a `switch case` statement. – frogatto Aug 14 '19 at 12:23
  • @Lenniey Thanks for the u32 module, definitely it helps. But where in the IP packet should I put those 3 bytes? – frogatto Aug 14 '19 at 12:36
  • Sorry, can't help you there. I still believe you don't have to change the packets' header/payload/options/whatever and you can accomplish your task differently, e.g. by marking or using some OpenVPN options or something. Modifying IP packets always sounds a bit...fishy – Lenniey Aug 14 '19 at 12:46
  • What is the purpose of modifying the IP packets? – Michael Hampton Aug 14 '19 at 15:54
  • @MichaelHampton In my forked OpenVPN, when I received a packet from a client, I need to drop/accept the packet based on the packet info (IP, port or higher level insights) and the client info (username, access control list), so I'm going to embed all these things inside the packet (3 bytes) and then write it on the `tun` interface. At the other end of `tun` I'd need iptables to drop/accept those packets based on those 3 bytes. Please note that those 3 bytes are not same for all packets, they may hold all combinations of 24 bits strings. – frogatto Aug 17 '19 at 05:40

0 Answers0