Simon Brooke wrote: > I think I want to do it at user-space-handler-over-netfilter level.
Which is supported just fine for a proxy approach by the NAT framework.. > So some types of SOAP message sent to host 'A' are valid, but all > others should be blocked; and any SOAP messages sent to 'C' and 'D' may > be blocked. No problem, just write the needed proxy and add some access control rules to it to filter what should be allowed where. > Now I can perfectly easily see that we can require all 'our' hosts to > use a proxy server, and refuse to route outward packets to port 80 > unless they come from the proxy server; and I can see how we can route > all inbound packets destined to port 80 to a proxy server. But I don't > see how the proxy server can then discriminate which of our hosts the > message (if allowed) should be routed on to. This may, of course, be > because I'm stupid. If I am, please say so. By running the proxy on the iptables box (or a nearby box also running iptables, and route the port80 traffic there). Then NAT the connections to the (local) address of the proxy. A proxy running on the host where you do netfilter NAT can easily query netfilter for the originally intended destination. > So it seems to me that the best thing to do is to get netfilter to hand > off port 80 (or other designated ports) to a user space handler, and > for that user space handler to buffer the requests until it has enough > information to make a block or pass decision. Entirely possible using the QUEUE approach. But I would probably recommend writing a proxy.. If using QUEUE then you would need your own TCP stream reassembly routines to be able to analyze the TCP data stream. Regards Henrik
