Iptables – Redirecting traffic based on ports (iptables)

I am currently working on an application that is able to conduct ARP poisoning so as to become the man in the middle and do some intelligent filtering. I will explain the problem in details in steps so as to let you guys know what is going on.

I have 4 hosts namely:

• A – 192.168.1.1
• B – 192.168.1.2
• C – 192.168.1.3
• D – 192.168.1.4

Host A is the man in the middle so all traffic within the network will be redirected to him.

Say Host B wants to ping Host C, but since host A is the MITM, the ping will be redirected to host A. My application at host A must be able to forward the ping packet to host C (its original intended route).

However, the application can decide certain packets that it wants to forward.

For example, if Host B wants to FTP to Host C this time, I would like for host A to mangle with the destination ip address for the packets so that host B's packets actually goes to host D instead (just an example, the ftp connection might not work, its ok)

The basic idea is that the application is able to redirect traffic depending on the protocol.

This is where the problem comes in, I am not sure of how can I go about doing this. I've read up on iptables and it seems that (correct me if I am wrong), iptables is able to mangle with the destination address of packets with prerouting functions.

I've also done up some searching on a particular module called libnetfilter_queue (nfqueue) which seems to be able to mangle with packets as well, though I am not exactly sure how.

Can anybody advice me on what is the correct approach that I should take? If possible, can you provide some examples which will be able to solve the problem in the scenario above?