socket.getsockopt() and SO_ORIGINAL_DST
chris
On netfilter-based NAT systems there is theoretically a possibility to
retrieve the original address *after* NAT'ing a connection. In C, this
can be done as in squid, a transparent HTTP proxy:
http://paste.pocoo.org/show/216495/
I'd like to do the same in Python. So I started with a small script:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', 2626))
s.listen(1)
conn, addr = s.accept()
dst = conn.getsockopt(socket.SOL_IP, socket.SO_ORIGINAL_DST)
Since SO_ORIGINAL_DST is not defined in socket.py, the program fails:
AttributeError: 'module' object has no attribute 'SO_ORIGINAL_DST'
So I thought I'd be smart and look up the constant myself. Indeed, I
found it to be defined in:
/usr/include/linux/netfilter_ipv4.h:75:#define SO_ORIGINAL_DST 80
I replaced the getsockopt() call with
dst = conn.getsockopt(socket.SOL_IP, 80)
and ran into a new problem:
Traceback (most recent call last):
File "listen.py", line 14, in <module>
dst = conn.getsockopt(socket.SOL_IP, 80)
File "<string>", line 1, in getsockopt
socket.error: [Errno 22] Invalid argument
In C, everything works fine. But I really need this problem to be solved
in Python. Do you have any ideas?
Thanks for any support in advance and regards,
Chris
PS: I know there are ugly work-arounds to parse /proc/net/ip_conntrack
to do this job, but I will defenitely avoid that.
chris
I found a solution myself in O'Reilly's Security Power Tools. It works
seamlessly as follows:
from socket import *
SO_ORIGINAL_DST = 80
s = socket(AF_INET, SOCK_STREAM)
s.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
s.bind(('192.168.255.254', 80))
s.listen(1)
conn, addr = s.accept()
dst = conn.getsockopt(SOL_IP, SO_ORIGINAL_DST, 16)
srv_port, srv_ip = struct.unpack("!2xH4s8x", dst)
print "original %s:%d" % (inet_ntoa(srv_ip), srv_port)
Basically, my fault was not specifying the buffer length :(
Have fun with it, whoever needs it.
Regards,
Chris