How to recognize tinc TCP connection with iptables

Nikolaus Rath Nikolaus at rath.org
Sat Aug 31 19:27:55 CEST 2013 

Guus Sliepen <guus-NnCthlHDAqpg9hUCZPvPmw at public.gmane.org> writes:
> On Fri, Aug 30, 2013 at 10:48:59PM -0700, Nikolaus Rath wrote:
>
>> Is there a way to reliably identify a tinc TCP connection using
>> iptables?
>
> The best way is to look at the first line of data that is sent, which is always
> in the form:
>
> 0 <nodename> 17
>
> Or with tinc 1.1:
>
> 0 <nodename> 17.X
>
> (where X is another number).

Is <nodename> the name of the node receiving or sending the packet?

How does tinc know where the nodename ends when parsing the packet? Is
it just taking everything between "0" and the first occurence of "17"
after that?

> You could check just for the two bytes "0 " at the very beginning, although
> that might give a false match with other protocols.
>
>> Looking at the iptables documentation, the u32 test seems to be very
>> flexible (though the "language" of the tests pretty unreadable):
>
> Yes, that can be used to match the "0 ", and maybe even check that the highest
> bit in the next two bytes is not set.

Thanks! I'll try that.

>> The question is just, what do I have to look for? Ideally there'd be an
>> easy way to recognize every tinc packet, but matching just one specific
>> packet that's sent early on would probably work as well when combined
>> with the netfilter connection marker.
>
> Unfortunately after the initial authentication phase, everything is encrypted,
> so there is nothing left that can identify those packets as being from tinc.
>
> If you are running tinc on the same machine as where you are doing the
> firewalling, you might also be able to match packets based on the user or group
> id of the process that is responsible for generating those packets. There might
> also be a way to change tinc so it sets a firewall mark on its sockets, which
> can then in turn be used by iptables.


What I want to do is be able to talk to a tinc server on port 443
(https) using just TCP, so that the client has the best possible chance
of making it through any overly restrictive firewalls imposed by some
WiFi hotspots.

However, I still want to be able to serve regular https on the same
server. Thus the idea of adding some iptables rule on the server that
identify tinc packets and locally redirect those to the regular tinc
port (while everything else reaches the webserver as usual).

So I think as long as my rule is specific enough to distinguish tinc and
TLS, I should be good.


Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

More information about the tinc mailing list