Please help filter iptables DNAT traffic with netfilter-ndpi module
gentoosys opened this issue · 1 comments
Hi. I am using ndpi netfilter module.
I have multiple DNAT rules, forwarding ports to external socks proxy servers, like this
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 13069 -j DNAT --to-destination 5.5.5.5:31029
I want to filter smtp traffic. I added such rules
iptables -A INPUT -m ndpi --proto smtp -j REJECT
iptables -A FORWARD -m ndpi --proto smtp -j REJECT
iptables -A OUTPUT -m ndpi --proto smtp -j REJECT #works for outgoing smtp connections from that server
iptables -t mangle -I PREROUTING -m ndpi --proto smtp -j DROP
iptables -t mangle -I OUTPUT -m ndpi --proto smtp -j DROP
iptables -t nat -I PREROUTING -p tcp -m ndpi --proto smtp -j REDIRECT --to-ports 666 #inexistent port, coz drop is not allowed in nat
iptables -t nat -I OUTPUT -p tcp -m ndpi --proto smtp -j REDIRECT --to-ports 666
but smtp connections are still going through socks proxy servers. Can you please advice me how to filter smtp traffic?
the scheme is: socks client -> my server -> dnat -> external server socks port
You cannot change NAT after a connection has been established.
DPI determines the protocol based on the contents of the packets. This means that the protocol will be determined after the connection is established.