Skip to BUILD below for primitive build instructions. DESCRIPTION ----------- iptables DEST module This module allows one to mangle packets and change the destination address without the overhead and connection tracking associated with NAT. The destination address and checksum are adjusted. usage: iptables -t mangle -A PREROUTING -j DEST --to= iptables SOURCE module This module allows one to mangle packets and change the SOURCE address without the overhead and connection tracking associated with NAT. The source address and checksum are adjusted. usage: iptables -t mangle -A POSTROUTING -j SOURCE --to= iptables RELAY module This iptables module implements a smart UDP relay, that learns and relays packets from and to the endpoints that connect to each port in a specified range. The source, destination and checksums of relayed packets are adjusted. This is useful for servers that act as a middle man in a large number of UDP data connections. usage: iptables -t mangle -A PREROUTING -p udp --dport : -j RELAY The range of ports to be relayed is taken to be the same as the port range match specified when creating the iptables rule (--dport 3000:4000 will cause 3000-4000 to be available for relaying). The module is implemented using a simple table of port and address pairs. The first host to connect to be port is assumed to be one side of the relay. The second host to connect is assumed to be the other side of the relay. Any other host will cause the the first host to be set and the second host cleared. This handles dynamic ip addresses. The ports are enabled, disabled and queried via the /proc interface. A single /proc entry, /proc/net/ipt_RELAY/state provides the entire interface. To query the state, write the port, then read the state. Note that internally, the pid of queries is tracked in a circular buffer, so that a later read obtains the result of the query. This proc interface is wrapped into a perl program called 'relaystate'. The state of each port is not set directly. It is or'd with the current state of the port (except for SET0/1, which causes port to be enabled and cleared). Using this interface, you can force the port to enable, disable or relearn the endpoints. The state values are: 0 = DISABLE 1 = SET0 = relay port is enabled 2 = SET1 = relay port is enabled. one endport is known 3 = SET2 = relay port is enabled. both endpoints are known 4 = ACTIVE1 = first port has been sent packets 8 = ACTIVE1 = second port has been sent packets 12 = ACTIVE = both ports have been sent packets 15 = ALL = both ports are enabled and have been sent packets So setting to 1 will enable and reset the port relay. Setting to 0 will disable relay. Setting to 3 will enable the port relay, clearing the activity state. Setting to 15 will enable the port relay, keeping all state. Here are some steps to demonstrate the relay: On SERVER: iptables -t mangle -A PREROUTING -p udp --dport 3000:4000 -j RELAY ./relaystate 3000 1 On CLIENT1: perl test/pingpong.pl SERVER1 3000 On CLIENT2 perl test/pingpong.pl SERVER1 3000 BUILDING apply patches: allow-spoofing-2.4.20-patch netfilter-build-2.4.20.patch -or- allow-spoofing-2.6.5.patch netfilter-build-2.6.5.patch copy new files to these locations: net/ipv4/netfilter/ipt_RELAY.c net/ipv4/netfilter/ipt_SOURCE.c net/ipv4/netfilter/ipt_DEST.c include/linux/netfilter_ipv4/RELAY_nlm.h configure linux, enable RELAY, SOURCE and DEST and SOURCE as needed. You MUST currently enable SPOOFING for RELAY to work, as RELAY changes the source to itself before the spoof check. An alternative solution to doing this is to modify the RELAY code to change the SOURCE to some other fake address, then change it to my address in POSTROUTING (with the SOURCE module). Probably a better alternative is to change the spoof check to allow packets that were modified in PREROUTING. You must apply the changes in iptables application to be able to use these modules. -Don Mahurin