Packet inspection Firewall

Hello, I have a HLK-7688A with 1 WAN and 4 LAN ports. I want to use it for my thesis project. when routing from LAN to WAN, I want to inspect all packet for a specific port and depending of the request in the payload, decide if drop/stop the packet or let it go through.
It's not on HTTP but I will use it as example, it's easier for me to explain.
LAN user ask for http://www.mcs.com/download/file.zip
I would like to check the part "download/file.zip" and decide if block the request or not, before been routed to WAN interface. It doesn't help the IP filtering in this case.

I could use a kind of proxy with a task managing the request on the service port , the LAN user make the request to the firewall so the task can inspect the full request and if valid create a new request to the WAN user (it works because the request will be from WAN to LAN, I will make a kind of NAT where WAN ask data to Firewall and if valid request forwarded to the LAN user).

I will work with easy request, so I'm sure I can manage the captured traffic from network to application level. I just need an entry point :slight_smile:

I hope it's clear what I would like to do.
Any suggestion on how to create this "function" ?
I read about NetFilter but my understanding is that works only IP address only. TCPDUMP is nice for capturing and later analisys, but not usable to block packets.

I'm more willing to write C code instead to use a package to configure, anyway I'm open to any solution.

Thanks for your advice

Except that users won't ask for that file these days, but for https://www.mcs.com/download/file.zip - and with that, your router is out of the loop (end-to-end encryption does not include your router).

If you want to actually use it, aside from being an academic and lethargic proof of concept with abysmal performance, you will require something considerably faster than that - and 128 MB RAM are probably not enough for a proof of concept implementation either.

Thanks for the reply. Just to clarify

1- I will not work with http protocol but with an industrial PLC protocol; mine was just an example on something familiar to many people. There isn't any end-to-end encryption in my procotol (or at least in my application)

2- My project is just to demostrate that the system works. of course I can decide to buy a more powerful CPU. I just have to check want I can mount on the development board

You can have full linux in virtual machine, intercepting between 2 vlans passed by some switch. nftables queue or some python module for packet interception

You might want to look at how snort IPS does this using libdaq (https://github.com/snort3/libdaq).

Also worth think about is the nftables queue expression, which can be used to shuttle packets into user space. https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace

You can model no-tcp no-udp protocols with scapy better, it has some modbus templates already.