Hi All,
I need to modify some IP traffic before it gets routed to a specific
network device…esentially, I want to change the destination IP and port
to a localhost address, and have a local user-mode application pick up the
communication.
I’ve tried NDIS IM drivers and TDI Filter-Hooks, but both get ahold of the
packets after they’ve already been routed to a device. Also, I can’t use
a layered winsock driver, because not all applications (ie. SMB) use
Winsock.
I’ve seen references to something called TDI Firewall-Hook Drivers and
“TDI Filter Over TCP/UDP”, but abosolutely no sample code or
useful documentation.
Can anyone point me in the direction of some good resources?
Thanks!
Kendell
If I were you, I would use IM driver and pipe the traffic back to
TCP/IP. This way stack would receive the traffic and give it to the
application. This is how major proxy based firewalls are implemented.
-Srin.
-----Original Message-----
From: Kendell Welch [mailto:xxxxx@useractive.com]
Sent: Tuesday, June 24, 2003 12:13 PM
To: NT Developers Interest List
Subject: [ntdev] filter-modify IP packets prior to routing??
Hi All,
I need to modify some IP traffic before it gets routed to a specific
network device…esentially, I want to change the destination IP and
port
to a localhost address, and have a local user-mode application pick up
the
communication.
I’ve tried NDIS IM drivers and TDI Filter-Hooks, but both get ahold of
the
packets after they’ve already been routed to a device. Also, I can’t
use
a layered winsock driver, because not all applications (ie. SMB) use
Winsock.
I’ve seen references to something called TDI Firewall-Hook Drivers and
“TDI Filter Over TCP/UDP”, but abosolutely no sample code or
useful documentation.
Can anyone point me in the direction of some good resources?
Thanks!
Kendell
You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Look at www.ndis.com for references.
I would personally use an NDIS Hooking Filter driver.
-Jeff
-----Original Message-----
From: Kendell Welch [mailto:xxxxx@useractive.com]
Sent: Tuesday, June 24, 2003 3:13 PM
To: NT Developers Interest List
Subject: [ntdev] filter-modify IP packets prior to routing??
Hi All,
I need to modify some IP traffic before it gets routed to a specific
network device…esentially, I want to change the destination IP and port
to a localhost address, and have a local user-mode application pick up the
communication.
I’ve tried NDIS IM drivers and TDI Filter-Hooks, but both get ahold of the
packets after they’ve already been routed to a device. Also, I can’t use
a layered winsock driver, because not all applications (ie. SMB) use
Winsock.
I’ve seen references to something called TDI Firewall-Hook Drivers and
“TDI Filter Over TCP/UDP”, but abosolutely no sample code or
useful documentation.
Can anyone point me in the direction of some good resources?
Thanks!
Kendell
You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************
Hmmmm. So, in theory, I would intercept a packet that I wanted to
redirect to the localhost, mess around with the IP’s, checksums, and such,
and send it to the TCP device instead of the adapter???
Duh…it’s all so clear now. Thanks!!!
Kendell
On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
If I were you, I would use IM driver and pipe the traffic back to
TCP/IP. This way stack would receive the traffic and give it to the
application. This is how major proxy based firewalls are implemented.
-Srin.
> -----Original Message-----
> From: Kendell Welch [mailto:xxxxx@useractive.com]
> Sent: Tuesday, June 24, 2003 12:13 PM
> To: NT Developers Interest List
> Subject: [ntdev] filter-modify IP packets prior to routing??
>
> Hi All,
>
> I need to modify some IP traffic before it gets routed to a specific
> network device…esentially, I want to change the destination IP and
port
> to a localhost address, and have a local user-mode application pick up
the
> communication.
>
> I’ve tried NDIS IM drivers and TDI Filter-Hooks, but both get ahold of
the
> packets after they’ve already been routed to a device. Also, I can’t
use
> a layered winsock driver, because not all applications (ie. SMB) use
> Winsock.
>
> I’ve seen references to something called TDI Firewall-Hook Drivers and
> “TDI Filter Over TCP/UDP”, but abosolutely no sample code or
> useful documentation.
>
> Can anyone point me in the direction of some good resources?
>
> Thanks!
> Kendell
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nai.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@useractive.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
There’s something I still don’t understand. So I pipe all traffic
from destined for the IP (2.2.2.2) I’m wanting to redirect back to
another localhost app. But I think I’ll have to change some of the data
in the packet (no problem, but don’t know what to change it to.)
Suppose I merely change the destination IP from 2.2.2.2 to 127.0.0.1, and
leave the source IP as-is (the physical adapter IP address at this point.
eg. 10.0.5.10,) and then pipe it back to TCPIP. My app on 127.0.0.1 will
receive the packets redirected from 2.2.2.2. But when it responds, what
will it respond to??? 10.0.5.10??? If that’s the case, then I won’t have
the opportunity in NDIS to change the source from 127.0.0.1 back to
2.2.2.2. I think that will confuse the app whos traffic is being
redirected (i.e. SMB.) It will be listening for a response from 2.2.2.2,
not 127.0.0.1.
Won’t it?
Kendell
On Tue, 24 Jun 2003, Kendell Welch wrote:
Hmmmm. So, in theory, I would intercept a packet that I wanted to
redirect to the localhost, mess around with the IP’s, checksums, and such,
and send it to the TCP device instead of the adapter???
Duh…it’s all so clear now. Thanks!!!
Kendell
On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
> If I were you, I would use IM driver and pipe the traffic back to
> TCP/IP. This way stack would receive the traffic and give it to the
> application. This is how major proxy based firewalls are implemented.
>
> -Srin.
>
> > -----Original Message-----
> > From: Kendell Welch [mailto:xxxxx@useractive.com]
> > Sent: Tuesday, June 24, 2003 12:13 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] filter-modify IP packets prior to routing??
> >
> > Hi All,
> >
> > I need to modify some IP traffic before it gets routed to a specific
> > network device…esentially, I want to change the destination IP and
> port
> > to a localhost address, and have a local user-mode application pick up
> the
> > communication.
> >
> > I’ve tried NDIS IM drivers and TDI Filter-Hooks, but both get ahold of
> the
> > packets after they’ve already been routed to a device. Also, I can’t
> use
> > a layered winsock driver, because not all applications (ie. SMB) use
> > Winsock.
> >
> > I’ve seen references to something called TDI Firewall-Hook Drivers and
> > “TDI Filter Over TCP/UDP”, but abosolutely no sample code or
> > useful documentation.
> >
> > Can anyone point me in the direction of some good resources?
> >
> > Thanks!
> > Kendell
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@nai.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@useractive.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You are currently subscribed to ntdev as: xxxxx@useractive.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
You need to maintain a state about each connection you are changing.
Think as if you are doing NAT. you have to change while traffic is
flowing in one direction and restore while traffic is flowing on another
direction. This is not simple, you are basically trying to implement a
transparent proxy solution. If your app(proxy) is listening on one port
and you are redirecting traffic going to more than one port you are in
trouble. But if you are redirecting traffic going to a single port this
should be fairly easy.
-Srin.
-----Original Message-----
From: Kendell Welch [mailto:xxxxx@useractive.com]
Sent: Tuesday, June 24, 2003 1:33 PM
To: NT Developers Interest List
Subject: [ntdev] RE: filter-modify IP packets prior to routing??
There’s something I still don’t understand. So I pipe all traffic
from destined for the IP (2.2.2.2) I’m wanting to redirect back to
another localhost app. But I think I’ll have to change some of the
data
in the packet (no problem, but don’t know what to change it to.)
Suppose I merely change the destination IP from 2.2.2.2 to 127.0.0.1,
and
leave the source IP as-is (the physical adapter IP address at this
point.
eg. 10.0.5.10,) and then pipe it back to TCPIP. My app on 127.0.0.1
will
receive the packets redirected from 2.2.2.2. But when it responds,
what
will it respond to??? 10.0.5.10??? If that’s the case, then I won’t
have
the opportunity in NDIS to change the source from 127.0.0.1 back to
2.2.2.2. I think that will confuse the app whos traffic is being
redirected (i.e. SMB.) It will be listening for a response from
2.2.2.2,
not 127.0.0.1.
Won’t it?
Kendell
On Tue, 24 Jun 2003, Kendell Welch wrote:
> Hmmmm. So, in theory, I would intercept a packet that I wanted to
> redirect to the localhost, mess around with the IP’s, checksums, and
such,
> and send it to the TCP device instead of the adapter???
>
> Duh…it’s all so clear now. Thanks!!!
>
> Kendell
>
> On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
>
> > If I were you, I would use IM driver and pipe the traffic back to
> > TCP/IP. This way stack would receive the traffic and give it to
the
> > application. This is how major proxy based firewalls are
implemented.
> >
> > -Srin.
> >
> > > -----Original Message-----
> > > From: Kendell Welch [mailto:xxxxx@useractive.com]
> > > Sent: Tuesday, June 24, 2003 12:13 PM
> > > To: NT Developers Interest List
> > > Subject: [ntdev] filter-modify IP packets prior to routing??
> > >
> > > Hi All,
> > >
> > > I need to modify some IP traffic before it gets routed to a
specific
> > > network device…esentially, I want to change the destination IP
and
> > port
> > > to a localhost address, and have a local user-mode application
pick
up
> > the
> > > communication.
> > >
> > > I’ve tried NDIS IM drivers and TDI Filter-Hooks, but both get
ahold
of
> > the
> > > packets after they’ve already been routed to a device. Also, I
can’t
> > use
> > > a layered winsock driver, because not all applications (ie. SMB)
use
> > > Winsock.
> > >
> > > I’ve seen references to something called TDI Firewall-Hook
Drivers
and
> > > “TDI Filter Over TCP/UDP”, but abosolutely no sample code or
> > > useful documentation.
> > >
> > > Can anyone point me in the direction of some good resources?
> > >
> > > Thanks!
> > > Kendell
> > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@nai.com
> > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@useractive.com
> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@useractive.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Agreed. It’s very much like NAT, but even more complicated because I
don’t necesarily see all of the traffic…the localhost stuff gets handled
by TCPIP internally…outside of my IM driver.
All I can think to do is not only change the destination address from
(e.g.) 2.2.2.2 to 127.0.0.1, but also change the source address to some
arbitrary IP that is not assigned to the local computer
(e.g. 192.168.123.123). That way, the returning traffic would be forced
back out towards the adapter when I can change everything back and pipe
it back to tcp. That all sounds very inefficient tho, not to mention
making it impossible to ever communicate with 192.168.123.123.
Kendell
On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
You need to maintain a state about each connection you are changing.
Think as if you are doing NAT. you have to change while traffic is
flowing in one direction and restore while traffic is flowing on another
direction. This is not simple, you are basically trying to implement a
transparent proxy solution. If your app(proxy) is listening on one port
and you are redirecting traffic going to more than one port you are in
trouble. But if you are redirecting traffic going to a single port this
should be fairly easy.
-Srin.
> -----Original Message-----
> From: Kendell Welch [mailto:xxxxx@useractive.com]
> Sent: Tuesday, June 24, 2003 1:33 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: filter-modify IP packets prior to routing??
>
> There’s something I still don’t understand. So I pipe all traffic
> from destined for the IP (2.2.2.2) I’m wanting to redirect back to
> another localhost app. But I think I’ll have to change some of the
data
> in the packet (no problem, but don’t know what to change it to.)
>
> Suppose I merely change the destination IP from 2.2.2.2 to 127.0.0.1,
and
> leave the source IP as-is (the physical adapter IP address at this
point.
> eg. 10.0.5.10,) and then pipe it back to TCPIP. My app on 127.0.0.1
will
> receive the packets redirected from 2.2.2.2. But when it responds,
what
> will it respond to??? 10.0.5.10??? If that’s the case, then I won’t
have
> the opportunity in NDIS to change the source from 127.0.0.1 back to
> 2.2.2.2. I think that will confuse the app whos traffic is being
> redirected (i.e. SMB.) It will be listening for a response from
2.2.2.2,
> not 127.0.0.1.
>
> Won’t it?
>
> Kendell
>
> On Tue, 24 Jun 2003, Kendell Welch wrote:
>
> > Hmmmm. So, in theory, I would intercept a packet that I wanted to
> > redirect to the localhost, mess around with the IP’s, checksums, and
> such,
> > and send it to the TCP device instead of the adapter???
> >
> > Duh…it’s all so clear now. Thanks!!!
> >
> > Kendell
> >
> > On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
> >
> > > If I were you, I would use IM driver and pipe the traffic back to
> > > TCP/IP. This way stack would receive the traffic and give it to
the
> > > application. This is how major proxy based firewalls are
implemented.
> > >
> > > -Srin.
> > >
> > > > -----Original Message-----
> > > > From: Kendell Welch [mailto:xxxxx@useractive.com]
> > > > Sent: Tuesday, June 24, 2003 12:13 PM
> > > > To: NT Developers Interest List
> > > > Subject: [ntdev] filter-modify IP packets prior to routing??
> > > >
> > > > Hi All,
> > > >
> > > > I need to modify some IP traffic before it gets routed to a
specific
> > > > network device…esentially, I want to change the destination IP
and
> > > port
> > > > to a localhost address, and have a local user-mode application
pick
> up
> > > the
> > > > communication.
> > > >
> > > > I’ve tried NDIS IM drivers and TDI Filter-Hooks, but both get
ahold
> of
> > > the
> > > > packets after they’ve already been routed to a device. Also, I
> can’t
> > > use
> > > > a layered winsock driver, because not all applications (ie. SMB)
use
> > > > Winsock.
> > > >
> > > > I’ve seen references to something called TDI Firewall-Hook
Drivers
> and
> > > > “TDI Filter Over TCP/UDP”, but abosolutely no sample code or
> > > > useful documentation.
> > > >
> > > > Can anyone point me in the direction of some good resources?
> > > >
> > > > Thanks!
> > > > Kendell
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as: xxxxx@nai.com
> > > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@useractive.com
> > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> > >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@useractive.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nai.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@useractive.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
This network stack filtering stuff sounds like fun… almost as
convoluted as filesystem filtering. 
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Kendell Welch
Sent: Tuesday, June 24, 2003 1:53 PM
To: NT Developers Interest List
Subject: [ntdev] RE: filter-modify IP packets prior to routing??
Agreed. It’s very much like NAT, but even more complicated
because I don’t necesarily see all of the traffic…the
localhost stuff gets handled by TCPIP internally…outside of
my IM driver.
All I can think to do is not only change the destination address from
(e.g.) 2.2.2.2 to 127.0.0.1, but also change the source
address to some arbitrary IP that is not assigned to the
local computer (e.g. 192.168.123.123). That way, the
returning traffic would be forced back out towards the
adapter when I can change everything back and pipe it back to
tcp. That all sounds very inefficient tho, not to mention
making it impossible to ever communicate with 192.168.123.123.
Kendell
On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
> You need to maintain a state about each connection you are
changing.
> Think as if you are doing NAT. you have to change while traffic is
> flowing in one direction and restore while traffic is flowing on
> another direction. This is not simple, you are basically trying to
> implement a transparent proxy solution. If your app(proxy) is
> listening on one port and you are redirecting traffic going to more
> than one port you are in trouble. But if you are
redirecting traffic
> going to a single port this should be fairly easy.
>
> -Srin.
>
> > -----Original Message-----
> > From: Kendell Welch [mailto:xxxxx@useractive.com]
> > Sent: Tuesday, June 24, 2003 1:33 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] RE: filter-modify IP packets prior to routing??
> >
> > There’s something I still don’t understand. So I pipe
all traffic
> > from destined for the IP (2.2.2.2) I’m wanting to
redirect back to
> > another localhost app. But I think I’ll have to change
some of the
> data
> > in the packet (no problem, but don’t know what to change it to.)
> >
> > Suppose I merely change the destination IP from 2.2.2.2 to
> > 127.0.0.1,
> and
> > leave the source IP as-is (the physical adapter IP address at this
> point.
> > eg. 10.0.5.10,) and then pipe it back to TCPIP. My app
on 127.0.0.1
> will
> > receive the packets redirected from 2.2.2.2. But when it
responds,
> what
> > will it respond to??? 10.0.5.10??? If that’s the case, then I
> > won’t
> have
> > the opportunity in NDIS to change the source from
127.0.0.1 back to
> > 2.2.2.2. I think that will confuse the app whos traffic is being
> > redirected (i.e. SMB.) It will be listening for a response from
> 2.2.2.2,
> > not 127.0.0.1.
> >
> > Won’t it?
> >
> > Kendell
> >
> > On Tue, 24 Jun 2003, Kendell Welch wrote:
> >
> > > Hmmmm. So, in theory, I would intercept a packet that
I wanted to
> > > redirect to the localhost, mess around with the IP’s,
checksums,
> > > and
> > such,
> > > and send it to the TCP device instead of the adapter???
> > >
> > > Duh…it’s all so clear now. Thanks!!!
> > >
> > > Kendell
> > >
> > > On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
> > >
> > > > If I were you, I would use IM driver and pipe the
traffic back
> > > > to TCP/IP. This way stack would receive the traffic
and give it
> > > > to
> the
> > > > application. This is how major proxy based firewalls are
> implemented.
> > > >
> > > > -Srin.
> > > >
> > > > > -----Original Message-----
> > > > > From: Kendell Welch [mailto:xxxxx@useractive.com]
> > > > > Sent: Tuesday, June 24, 2003 12:13 PM
> > > > > To: NT Developers Interest List
> > > > > Subject: [ntdev] filter-modify IP packets prior to routing??
> > > > >
> > > > > Hi All,
> > > > >
> > > > > I need to modify some IP traffic before it gets routed to a
> specific
> > > > > network device…esentially, I want to change the
destination
> > > > > IP
> and
> > > > port
> > > > > to a localhost address, and have a local user-mode
application
> pick
> > up
> > > > the
> > > > > communication.
> > > > >
> > > > > I’ve tried NDIS IM drivers and TDI Filter-Hooks,
but both get
> ahold
> > of
> > > > the
> > > > > packets after they’ve already been routed to a
device. Also,
> > > > > I
> > can’t
> > > > use
> > > > > a layered winsock driver, because not all applications (ie.
> > > > > SMB)
> use
> > > > > Winsock.
> > > > >
> > > > > I’ve seen references to something called TDI Firewall-Hook
> Drivers
> > and
> > > > > “TDI Filter Over TCP/UDP”, but abosolutely no
sample code or
> > > > > useful documentation.
> > > > >
> > > > > Can anyone point me in the direction of some good resources?
> > > > >
> > > > > Thanks!
> > > > > Kendell
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > —
> > > > > You are currently subscribed to ntdev as:
xxxxx@nai.com
> > > > > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as:
xxxxx@useractive.com
> > > > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> > > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as:
xxxxx@useractive.com To
> > > unsubscribe send a blank email to
xxxxx@lists.osr.com
> > >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@nai.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@useractive.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Heh…it was fun for about the first month of coding and searching for
nonexistant documentation. Now, I’m frustrated 
Have yet to try the below solution tho…might work.
On Tue, 24 Jun 2003, Nick Ryan wrote:
This network stack filtering stuff sounds like fun… almost as
convoluted as filesystem filtering.
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Kendell Welch
> Sent: Tuesday, June 24, 2003 1:53 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: filter-modify IP packets prior to routing??
>
>
> Agreed. It’s very much like NAT, but even more complicated
> because I don’t necesarily see all of the traffic…the
> localhost stuff gets handled by TCPIP internally…outside of
> my IM driver.
>
> All I can think to do is not only change the destination address from
> (e.g.) 2.2.2.2 to 127.0.0.1, but also change the source
> address to some arbitrary IP that is not assigned to the
> local computer (e.g. 192.168.123.123). That way, the
> returning traffic would be forced back out towards the
> adapter when I can change everything back and pipe it back to
> tcp. That all sounds very inefficient tho, not to mention
> making it impossible to ever communicate with 192.168.123.123.
>
> Kendell
>
>
> On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
>
> > You need to maintain a state about each connection you are
> changing.
> > Think as if you are doing NAT. you have to change while traffic is
> > flowing in one direction and restore while traffic is flowing on
> > another direction. This is not simple, you are basically trying to
> > implement a transparent proxy solution. If your app(proxy) is
> > listening on one port and you are redirecting traffic going to more
> > than one port you are in trouble. But if you are
> redirecting traffic
> > going to a single port this should be fairly easy.
> >
> > -Srin.
> >
> > > -----Original Message-----
> > > From: Kendell Welch [mailto:xxxxx@useractive.com]
> > > Sent: Tuesday, June 24, 2003 1:33 PM
> > > To: NT Developers Interest List
> > > Subject: [ntdev] RE: filter-modify IP packets prior to routing??
> > >
> > > There’s something I still don’t understand. So I pipe
> all traffic
> > > from destined for the IP (2.2.2.2) I’m wanting to
> redirect back to
> > > another localhost app. But I think I’ll have to change
> some of the
> > data
> > > in the packet (no problem, but don’t know what to change it to.)
> > >
> > > Suppose I merely change the destination IP from 2.2.2.2 to
> > > 127.0.0.1,
> > and
> > > leave the source IP as-is (the physical adapter IP address at this
> > point.
> > > eg. 10.0.5.10,) and then pipe it back to TCPIP. My app
> on 127.0.0.1
> > will
> > > receive the packets redirected from 2.2.2.2. But when it
> responds,
> > what
> > > will it respond to??? 10.0.5.10??? If that’s the case, then I
> > > won’t
> > have
> > > the opportunity in NDIS to change the source from
> 127.0.0.1 back to
> > > 2.2.2.2. I think that will confuse the app whos traffic is being
> > > redirected (i.e. SMB.) It will be listening for a response from
> > 2.2.2.2,
> > > not 127.0.0.1.
> > >
> > > Won’t it?
> > >
> > > Kendell
> > >
> > > On Tue, 24 Jun 2003, Kendell Welch wrote:
> > >
> > > > Hmmmm. So, in theory, I would intercept a packet that
> I wanted to
> > > > redirect to the localhost, mess around with the IP’s,
> checksums,
> > > > and
> > > such,
> > > > and send it to the TCP device instead of the adapter???
> > > >
> > > > Duh…it’s all so clear now. Thanks!!!
> > > >
> > > > Kendell
> > > >
> > > > On Tue, 24 Jun 2003 xxxxx@NAI.com wrote:
> > > >
> > > > > If I were you, I would use IM driver and pipe the
> traffic back
> > > > > to TCP/IP. This way stack would receive the traffic
> and give it
> > > > > to
> > the
> > > > > application. This is how major proxy based firewalls are
> > implemented.
> > > > >
> > > > > -Srin.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Kendell Welch [mailto:xxxxx@useractive.com]
> > > > > > Sent: Tuesday, June 24, 2003 12:13 PM
> > > > > > To: NT Developers Interest List
> > > > > > Subject: [ntdev] filter-modify IP packets prior to routing??
> > > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > I need to modify some IP traffic before it gets routed to a
> > specific
> > > > > > network device…esentially, I want to change the
> destination
> > > > > > IP
> > and
> > > > > port
> > > > > > to a localhost address, and have a local user-mode
> application
> > pick
> > > up
> > > > > the
> > > > > > communication.
> > > > > >
> > > > > > I’ve tried NDIS IM drivers and TDI Filter-Hooks,
> but both get
> > ahold
> > > of
> > > > > the
> > > > > > packets after they’ve already been routed to a
> device. Also,
> > > > > > I
> > > can’t
> > > > > use
> > > > > > a layered winsock driver, because not all applications (ie.
> > > > > > SMB)
> > use
> > > > > > Winsock.
> > > > > >
> > > > > > I’ve seen references to something called TDI Firewall-Hook
> > Drivers
> > > and
> > > > > > “TDI Filter Over TCP/UDP”, but abosolutely no
> sample code or
> > > > > > useful documentation.
> > > > > >
> > > > > > Can anyone point me in the direction of some good resources?
> > > > > >
> > > > > > Thanks!
> > > > > > Kendell
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > —
> > > > > > You are currently subscribed to ntdev as:
> xxxxx@nai.com
> > > > > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> > > > >
> > > > >
> > > > > —
> > > > > You are currently subscribed to ntdev as:
> xxxxx@useractive.com
> > > > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> > > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as:
> xxxxx@useractive.com To
> > > > unsubscribe send a blank email to
> xxxxx@lists.osr.com
> > > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@nai.com To
> > > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@useractive.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You are currently subscribed to ntdev as: xxxxx@useractive.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi,
You may try looking into the RFCs. Natting is pretty simple in theory,
but implementing it on windows can be quite cumbersome.
basically the idea is that you modify yhe packet to your liking, then
just correct the packets checksum, or the router will simply drop it.
if you are implementing a nat, you will have to maintain a state
table, which stores the ports of udp/tcp packets.
and thats the reason why you can masquerade only udp/tcp packets
Here are some links :
http://www.suse.de/~mha/linux-ip-nat/diplom/nat.html
linux related, but packets know no boundries
http://www.ietf.org/rfc/rfc2663.txt
http://www.ietf.org/rfc/rfc2694.txt
http://www.ietf.org/rfc/rfc2962.txt
http://www.ietf.org/rfc/rfc3022.txt
http://www.ietf.org/rfc/rfc3027.txt
http://www.ietf.org/rfc/rfc3235.txt
Hope that helps. After reading all the above mentioned papers, you
will have little trouble implementing your NAT/ transparent proxy
server …or whatever
enjoy !
Himanshu Singh
On Tue, 2003-06-24 at 15:53, Kendell Welch wrote:
All I can think to do is not only change the destination address from
(e.g.) 2.2.2.2 to 127.0.0.1, but also change the source address to some
arbitrary IP that is not assigned to the local computer
(e.g. 192.168.123.123). That way, the returning traffic would be forced
back out towards the adapter when I can change everything back and pipe
it back to tcp. That all sounds very inefficient tho, not to mention
making it impossible to ever communicate with 192.168.123.123.
Keep track of a list of addresses in your driver. Examine the dest
address of each packet as it’s leaving, comparing it against the address
list. If it’s in the list, simply swap the source and dest addresses
and send it back up to TCP/IP. This will catch packets flowing in both
directions automatically.
There are other things to worry about with NATing, but because it’s a
1:1 NAT and on the same host, you may get away without implementing some
of the usual stuff. At any rate, you should be able to code up a proof
of concept just to see if it works pretty quickly.
-sd