Pre-NAT / Post-NAT Filtering

Question

Hello,
    I have an issue regarding filtering with NAT which I think is a pretty logical scenario; however I can not find any way about it using the WFP. I need to filter based on source and destination address of packets that are NAT-ed on the same machine. Ideally, I need to inspect packets from the "internal" interface before NAT-ing and _after_ NAT-ing on the "outside" interface; i.e. when I have "internal" address and ports in the packets.

By just creating a new sublayer in the IPFORWARD layer, I get packets from the "internal" interface to the outbound inteface before NAT, but do not get any packets from the outbound interface in. I understand why it is doing this; the "outside" host would send a packet with my firewall's ip, and hence those packets would come on the "outside" interface's INBOUND layer. How do I get these packets? Is it that the NAT service grabs packets on the "outside" interface, modifies them, and reinjects them in the "internal" interface?

For those familiar with iptables on Linux, I'd like to filter on the "FORWARD" layer - in iptables, NAT-ing is done at the PREROUTING and POSTROUTING layer (and FORWARD is the "routing" layer if you will).

Cheers,
Arun Tejasvi Chaganty

Answer 1

Hello,
     So I've tried filtering packets on the OUTBOUND layer, reasoning that the "re-injected" packets should wind up there. Unfortunately, they aren't showing up. Could anyone enlighten me as to where I might be able to capture those packets?

Cheers,
Arun Tejasvi Chaganty

Answer 2

Hello,
    My apologies, I had a small bug in taking out the IP header from the NETBUFFERs in the OUTBOUND layer (I was "rewinding" the NET_BUFFERS for the IPFORWARD layer, which I don't need to do in the OUTBOUND layer), and now I can filter my pacets.

Cheers,
Arun Tejasvi Chaganty