How to recognize tinc TCP connection with iptables

[Guus Sliepen]

On Fri, Aug 30, 2013 at 10:48:59PM -0700, Nikolaus Rath wrote:

> Is there a way to reliably identify a tinc TCP connection using
> iptables?

The best way is to look at the first line of data that is sent, which is always
in the form:

0 <nodename> 17

Or with tinc 1.1:

0 <nodename> 17.X

(where X is another number).

You could check just for the two bytes "0 " at the very beginning, although
that might give a false match with other protocols.

> Looking at the iptables documentation, the u32 test seems to be very
> flexible (though the "language" of the tests pretty unreadable):

Yes, that can be used to match the "0 ", and maybe even check that the highest
bit in the next two bytes is not set.

> The question is just, what do I have to look for? Ideally there'd be an
> easy way to recognize every tinc packet, but matching just one specific
> packet that's sent early on would probably work as well when combined
> with the netfilter connection marker.

Unfortunately after the initial authentication phase, everything is encrypted,
so there is nothing left that can identify those packets as being from tinc.

If you are running tinc on the same machine as where you are doing the
firewalling, you might also be able to match packets based on the user or group
id of the process that is responsible for generating those packets. There might
also be a way to change tinc so it sets a firewall mark on its sockets, which
can then in turn be used by iptables.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130831/97dbedcf/attachment.sig>