Capability to drop IP packets in Linux

Question

I want to drop outgoing IP packets from my machine based on some criteria. I checked the capabilities provided by iptables but unfortunately it doesn't have what I am looking for.

So what I want is access to packets (at least those generate on my machine and going out). And based on some criteria the ability to drop them.

Should I be looking at modifying the iptables source code to add this functionality OR should I make a Linux kernel module to do this? or is there something else I should look into?

I want some general guidance but any specifics like a particular file in iptables where such functionality can be added will be very useful too!

Answer 1

You can use the NFQUEUE target of the netfilter. It sends packets to a userland program which can parse the payload and return a decision like DROP or ACCEPT.

You can find documentation and examples on the netfilter website.

This functionality is mentionned at the beginning of man iptables...

Answer 2

I'm pretty sure iptables could be used to drop packets based on the condition. If the condition is complicated you might need to write your own netfilter plugin (http://netfilter.org/) to augment what can be done with iptables.

Answer 3

From what you're describing, it sounds like what you're trying to do could probably be implemented as a new iptables match. You'd have to tell us what conditions you're trying to drop packets based on before we could advise you in more detail, though.