Hi,

I'm trying to work out a way to inspect/modify dns requests as an advertising filter. Iptables is a good place to do this, but I'm having some problems disassembling the packet.

Test:
On my dev box, when a DNS reply is returned from a request made on the dev box. I use this rule to route the reply packet through a queue:

iptables -A INPUT -p udp --sport 53 -j NFQUEUE --queue-num 1


Will the rule catch the inbound udp packet with the dns reply in it?

I get something in the queue, but it's unintelligible when attempting to disassemble the packet. I don't want to move onto looking at my program until I get some feedback on the rule.

Here's a primitive diagram of what I'm working towards:

host ->DNS request->iptables(no outbound rules)-> DNS Server
->DNS Answer ->iptables(queue udp 53 packets)
->inspect packet program-> Allow/Deny -> host processes allowed packets

I've done a similar thing with snort + squid... I hope this helps you a bit.