ipfw Divert Sockets and PPTP
ipfw Divert Sockets and PPTP
- Subject: ipfw Divert Sockets and PPTP
- From: Jeff Cruikshank <email@hidden>
- Date: Tue, 28 Sep 2004 16:06:40 -0700
Hi list,
I have a daemon which performs a sort of aliasing (not compltely unlike
natd), to transparently proxy mail traffic between a mail client and a
mailserver. For the most part, things work great, but PPTP seems to
complicate matters in such a way that my packets don't get diverted to
the right interface. The nature of my app is to act as a man in the
middle (I know, sounds scary, but I promise it's not malicious), such
that IMAP connections from the mail client automatically get redirected
to my proxy app (which listens on 127.0.0.1:10143). The proxy app, in
turn, connects to the mail server and proxies the traffic between the
two connections, as if they were one. When things are running well,
packets sent/rcvd from the mail client get processed in the following
manner:
Normal (working) scenario:
Traffic from mail client:
Before: 192.168.1.50:50299 -> 213.213.213.213:143
Modified: 192.168.1.50:50299 -> 127.0.0.1:10143
Traffic to mail client:
Before: 127.0.0.1:10143 -> 192.168.1.50:50299
Modified: 213.213.213.213:143 -> 192.168.1.50:50299
The problem I'm having with PPTP would seem to be that the address
translation that I perform when sending traffic back to the mail
client, doesn't cause the packet to get routed correctly (this is a
best guess). In my testing, the connect() call times out because the
3-way handshake can't be completed.
PPTP (broken) scenario:
Traffic from mail client:
Before: 10.214.2.34:50299 -> 213.213.213.213:143
Modified: 10.214.2.34:50299 -> 127.0.0.1:10143
Traffic to mail client:
Before: 127.0.0.1:10143 -> 10.214.2.34:50299
After: 213.213.213.213:143 -> 10.214.2.34:50299 // Packet never
received by PPTP interface with addresss 10.214.2.34
After perusing the kernel source (ip_divert.c), I thought that perhaps
I could inspect (and modify) the sin_zero field of the struct
sockaddr_in to control which interface the packet gets sent to (ppp0).
Though I was able to get the interface name this way, changing it
seemed to have no effect.
I was interested to find that Apple's natd (as configured via the
Internet Sharing panel) doesn't seem to work when the same PPTP
connection is in place. To test this, I had another machine connect
through the natd gateway to make sure it could connect to the outside
world, then I had the gateway make its PPTP connection. The result was
that the machine behind nat could no longer communicate with the
outside world.
Is there a way that I can cause the divert socket machinery to redirect
a packet to a specific interface?
BTW, here are the ipfw rules that I'm using to divert mail traffic:
ipfw add 100 divert 15000 tcp from any to any 143 out
ipfw add 101 divert 15000 tcp from any 143 to any in
ipfw add 102 divert 15000 tcp from any to any 10143
ipfw add 103 divert 15000 tcp from any 10143 to any
Thanks for any help!
Jeff Cruikshank
--
Jeff Cruikshank <email@hidden>
Senior Software Engineer, PGP Corporation
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden