How to recognize tinc TCP connection with iptables

Nikolaus Rath Nikolaus at rath.org
Sun Sep 1 02:26:17 CEST 2013 

Nikolaus Rath <Nikolaus at rath.org> writes:
> Guus Sliepen <guus-NnCthlHDAqpg9hUCZPvPmw at public.gmane.org> writes:
>> On Sat, Aug 31, 2013 at 01:05:43PM -0700, Nikolaus Rath wrote:
>>
>>> >> So I think as long as my rule is specific enough to distinguish tinc and
>>> >> TLS, I should be good.
>>> >
>>> > In that case, you can just match the "0 " at the start of the connection, you
>>> > don't have to look further.
>>> 
>>> Hmm. It seems it's a bit more complicated than that. Unless I'm
>>> mistaken, a tinc client waits for the tinc server to send his greeting
>>> before it sends his own
>>
>> You are mistaken. Luckily, otherwise sslh wouldn't work either :)
>
> I don't feel very comfortable contradicting tinc's very author, but I
> think sslh only works because it uses a default protocol if it doesn't
> get any packet by the client for a specified number of seconds. If I
> don't set this default to tinc, it doesn't work.
>
> Further evidence is that "nc -l -v -p 655" does not show any incoming
> data when I try to connect to it with tinc, and all my wireshark traffic
> dumps also show the server sending a message first.
>
> I tested this with tinc 1.0.19 from Debian wheezy.

Here's the actual test:

On the client:

# tincd -n rath -D -d 4
tincd 1.0.19 (Apr 22 2013 21:45:36) starting, debug level 1
/dev/net/tun is a Linux tun/tap device (tun mode)
Listening on 0.0.0.0 port 656
Listening on :: port 656
Ready
Trying to connect to sunshine (23.92.25.96 port 443)
Timeout from sunshine (23.92.25.96 port 443) during authentication
Trying to connect to sunshine (2600:3c01::f03c:91ff:fe69:db07 port 443)
2600:3c01::f03c:91ff:fe69:db07 port 443: Network is unreachable
Could not set up a meta connection to sunshine
Trying to re-establish outgoing connection in 5 seconds
Got TERM signal
Statistics for Linux tun/tap device (tun mode) /dev/net/tun:
 total bytes in:           0
 total bytes out:          0
Closing connection with sunshine (23.92.25.96 port 443)
Closing connection with vostro (MYSELF)
Terminating

On the server:

# nc -l -v -p 443
listening on [any] 443 ...
connect to [23.92.25.96] from ip68-5-174-57.oc.oc.cox.net [68.5.174.57] 43506


But if I reply manually I get:

(server)
# nc -l -v -p 443
listening on [any] 443 ...
0 sunshine 17
connect to [23.92.25.96] from ip68-5-174-57.oc.oc.cox.net [68.5.174.57] 43512
0 vostro 17
1 94 64 0 0 2009B19B8BA9A20D5713F0DA1B8671DDF0661ED12E3DC359BB25DAA438AE751615F54D719E2CAEE9559B3E26388E2E1B9B674D48BC2BF722F85145EAEB796E92FE85216FA81326985ECF1F54F743EECC0F78E4639AC5856E69926CE189F088EB76367C84F3E8489B76B672D414BEF922B9992AA2069B375BD3678E1242BB6AAA8479CB209D64C031D0F74A56BB1F32FC315584E8F9D2AE0E609A6E5A446AA95537F97B4AEE61F1F9B6AE685B9E96296FE739A6507B40872506C89100A4863FDC7A3F3437EDEC48BC9BC00887A3C45B7A5143BF83E88D48F931573A5EB80268E76A47ED0D310D29A14D698B7FB6CDF67AF6F879AE830C8AA0E50EE5990A5A2893

(client)
[...]
Trying to connect to sunshine (23.92.25.96 port 443)
Connected to sunshine (23.92.25.96 port 443)
Unauthorized request from sunshine (23.92.25.96 port 443)
Closing connection with sunshine (23.92.25.96 port 443)
[...]


Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

More information about the tinc mailing list