How to reinject the packet in the Iptables?

I agree with MrShunz's answer. Use libnetfilter_queue. To use it, you will need a Linux kernel version 2.6.14 or later built with nfnetlink_queue support. There are two parts to set up:

1. Your iptables/netfilter rules to send packets to user-land, and
2. your user-land program, which will process the packets as desired and then return them to netfilter.

The iptables rule might look something like this:

IN_INTERFACE=eth0
SOURCE_NETWORK=192.168.66.0/24
QUEUE_NUM=1
iptables -t raw -A PREROUTING -i $IN_INTERFACE -s $SOURCE_NETWORK -j NFQUEUE --queue-num $QUEUE_NUM

This will send all packets coming in through a specific interface from a specific network to your user-land process that is listening on queue number 1.

Your program, which will likely have to be written in C or C++, will use the libnetfilter_queue API. Sorry, I'm not going to write any code here (there is example code in the API docs I linked to), but the basic idea is that your program will:

• read each packet sent to the queue,
• make your desired modifications to the packet,
• and finally, specify a "verdict" to netfilter, saying whether to ACCEPT or DROP the packet. Presumably, you will be ACCEPTing most of the time.

I have not personally used this API, but my reading of the docs is that ACCEPTing a packet actually means to reinject it, as modified, back into netfilter, to continue traversing the iptables rulesets. I could be wrong on this point, so you may want to investigate further before committing to this course of development.

IIRC, to reinject (to the start of the chain, though!), use NF_REPEAT as a verdict.

Seems like libipq has been deprecated by libnetfilter_queue. The documentation states:

issuing verdicts and/or reinjecting altered packets to the kernel nfnetlink_queue subsystem

seems like what you're looking for...