How to recognize tinc TCP connection with iptables
Nikolaus Rath
Nikolaus at rath.org
Sat Aug 31 07:48:59 CEST 2013
Hello,
Is there a way to reliably identify a tinc TCP connection using
iptables?
Looking at the iptables documentation, the u32 test seems to be very
flexible (though the "language" of the tests pretty unreadable):
u32
U32 tests whether quantities of up to 4 bytes extracted from a packet have specified val‐
ues. The specification of what to extract is general enough to find data at given offsets
from tcp headers or payloads.
[...]
Example:
TCP payload bytes 8-12 is any of 1, 2, 5 or 8
First we test that the packet is a tcp packet (similar to ICMP).
--u32 "6 & 0xFF = 6 && ...
Next, test that it is not a fragment (same as above).
... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8"
0>>22&3C as above computes the number of bytes in the IP header. @ makes this the
new offset into the packet, which is the start of the TCP header. The length of the
TCP header (again in 32 bit words) is the left half of byte 12 of the TCP header.
The 12>>26&3C computes this length in bytes (similar to the IP header before). "@"
makes this the new offset, which is the start of the TCP payload. Finally, 8 reads
bytes 8-12 of the payload and = checks whether the result is any of 1, 2, 5 or 8.
The question is just, what do I have to look for? Ideally there'd be an
easy way to recognize every tinc packet, but matching just one specific
packet that's sent early on would probably work as well when combined
with the netfilter connection marker.
Thanks for this great piece of software!
-Nikolaus
--
»Time flies like an arrow, fruit flies like a Banana.«
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
More information about the tinc
mailing list