wood burning stoves 2.0*
The moose likes Sockets and Internet Protocols and the fly likes Java appropriate for router/firewall Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "Java appropriate for router/firewall" Watch "Java appropriate for router/firewall" New topic
Author

Java appropriate for router/firewall

Sander Smith
Greenhorn

Joined: May 20, 2006
Posts: 4
I have a project that requires some networking code that's a bit different from what I'm used to. Normally the code we write is either for a server or client, and how to do this is pretty well established. I now want to write some code that effectively has my computer acting like a firewall.

What I want is to be able to put two network cards in my computer (call this "A"). One will be connected to a conventional router, and the other will be connected to another computer (call this "B"). What I'd like is that the existance of "A" should be completely transparent to "B". In other words, if "B" tries to send something out to the network, "A" simply takes the data and forwards it through on the other network card. If "B" tries to open a port, "A" will allow this and open its port on the other network card, and then transfer the data from clients who connect to it.

Obviously, this isn't all I need to do since it would be kind of pointless. Ultimately, computer "A" will do some filtering of the data passing through it (image processing application). Once I get a basic framework, I can do the rest.

I'm having trouble figuring out where to even start with a project like this. I don't think sockets are the right place to start here. I had a look at java.net.NetworkInterface which seems like the right place but I don't think it is.

I'm starting to think that Java is not the appropriate language for an application like this since it is not sufficiently low level. Anyone have any ideas on where to begin?

Sander Smith
Ernest Friedman-Hill
author and iconoclast
Marshal

Joined: Jul 08, 2003
Posts: 24184
    
  34

Hi,

Welcome to JavaRanch!

I think the first thing you need to do is to work on the problem definition a little more. Does this proxy all traffic, or only TCP? Only a fixed set of ports? Or only HTTP (for example?) It surely can't be all traffic on all ports with all protocols, or there'd be no way to know when to apply your filtering.

If it's only a finite number of ports with a known protocol, then you might be able to do it in Java or other user-space code, if the client could be configured to use your program as a local proxy. Otherwise, you'll need OS-level help, and the required techniques would be very OS-depended. On Linux, you could use iptables and a userspace program like netcat to do most of the work, then write your filtering code as a Java application. On Windows, I imagine there's something similar, but I personally don't know what it is.


[Jess in Action][AskingGoodQuestions]
Sander Smith
Greenhorn

Joined: May 20, 2006
Posts: 4
Thanks for responding. The problem I'm trying to solve is very well defined. Unfortunately, there were a few assumptions I was making that were completely wrong, and so my questions may have seemed not so well-defined. Sorry about that.

What I want to do is build a computer "A" with 2 ethernet ports. One port will be connected to a router, while the other is connected to another computer "B". The existance of "A" should be completely transparent to "B", and "B" should believe that it is connected directly to the internet.

"A"'s purpose is to be a reverse proxy for any web server opened on "B". In other words, if "B" opens port 80, then "A" should open its port 80 and transfer requests/responses back and forth (we'll ignore http servers on other ports for now). "A" will then be in a position to filter this traffic, for instance, if "B" serves up a jpg, "A" can transform it in some way. "B" doesn't need to know of "A"'s existance, and clients that connect to "A" should believe that they're connected directly to "B".

That's the real essence of the problem. I now see that this can't be done exclusively in Java as it must rely on help from the operating system. Unfortunately, I do Windows, but this project will be delivered on Linux, which is one reason I was hoping to encapsulate it all in Java, but that won't work.

I took a look at your suggestions, and was hoping that you could explain it a little bit better or give me some pointers to places to look. What role do iptables and netcat in a solution to this problem? I guess I need to write a little Java app to do the actual filtering, but how does that process get kicked off and how does it integrate with the other parts of the solution?


Thanks for any help you can give. BTW, I just started looking at Jess as I was a bit involved with Rete/OPS5 back in the 80s. Pretty cool stuff.

Sander
Ernest Friedman-Hill
author and iconoclast
Marshal

Joined: Jul 08, 2003
Posts: 24184
    
  34

So there are two parts to this:

1) A serves as a network bridge for B. Each OS has its own way of doing this, but it's generally straightforward. I think windows just calls it "Connection sharing." You probably want to set this up so that B doesn't have an internet address of its own -- i.e., A does NAT (network address translation) so that from the Internet, you can't directly address B, but from B, you can directly address the Internet.

2) Then you have a Web server set up on A, and it serves as a proxy for B. For example, you can run Apache on A, and use the ProxyPass directive so that Web requests to A are forwarded to B. The machine A could do this for many B's simultaneously.

Then you use the various filtering mechanisms available in Apache -- i.e., configure Apache to do what you want, or write your own modules to do it if Apache doesn't have the right capabilities.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java appropriate for router/firewall