How to recognize tinc TCP connection with iptables
Nikolaus Rath
Nikolaus at rath.org
Sun Sep 1 02:15:29 CEST 2013
Guus Sliepen <guus-NnCthlHDAqpg9hUCZPvPmw at public.gmane.org> writes:
> On Sat, Aug 31, 2013 at 01:05:43PM -0700, Nikolaus Rath wrote:
>
>> >> So I think as long as my rule is specific enough to distinguish tinc and
>> >> TLS, I should be good.
>> >
>> > In that case, you can just match the "0 " at the start of the connection, you
>> > don't have to look further.
>>
>> Hmm. It seems it's a bit more complicated than that. Unless I'm
>> mistaken, a tinc client waits for the tinc server to send his greeting
>> before it sends his own
>
> You are mistaken. Luckily, otherwise sslh wouldn't work either :)
I don't feel very comfortable contradicting tinc's very author, but I
think sslh only works because it uses a default protocol if it doesn't
get any packet by the client for a specified number of seconds. If I
don't set this default to tinc, it doesn't work.
Further evidence is that "nc -l -v -p 655" does not show any incoming
data when I try to connect to it with tinc, and all my wireshark traffic
dumps also show the server sending a message first.
I tested this with tinc 1.0.19 from Debian wheezy.
Confused,
-Nikolaus
--
»Time flies like an arrow, fruit flies like a Banana.«
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
More information about the tinc
mailing list