tinc - Aug 2013 - How to recognize tinc TCP connection with iptables

Hello,

Is there a way to reliably identify a tinc TCP connection using
iptables?

Looking at the iptables documentation, the u32 test seems to be very
flexible (though the "language" of the tests pretty unreadable):

   u32
       U32  tests  whether quantities of up to 4 bytes extracted from a packet
have specified val?
       ues. The specification of what to extract is general enough to find data
at  given  offsets
       from tcp headers or payloads.
[...]

       Example:

              TCP payload bytes 8-12 is any of 1, 2, 5 or 8

              First we test that the packet is a tcp packet (similar to ICMP).

              --u32 "6 & 0xFF = 6 && ...

              Next, test that it is not a fragment (same as above).

               ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 =
1,2,5,8"

              0>>22&3C  as  above  computes the number of bytes in the
IP header. @ makes this the
              new offset into the packet, which is the start of the TCP header.
The length of  the
              TCP  header  (again  in 32 bit words) is the left half of byte 12
of the TCP header.
              The 12>>26&3C computes this length in bytes (similar to
the IP header  before).  "@"
              makes  this  the new offset, which is the start of the TCP
payload. Finally, 8 reads
              bytes 8-12 of the payload and = checks whether the result is any
of 1, 2, 5 or 8.

              
The question is just, what do I have to look for? Ideally there'd be an
easy way to recognize every tinc packet, but matching just one specific
packet that's sent early on would probably work as well when combined
with the netfilter connection marker.



Thanks for this great piece of software!


   -Nikolaus

-- 
 ?Time flies like an arrow, fruit flies like a Banana.?

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

On Fri, Aug 30, 2013 at 10:48:59PM -0700, Nikolaus Rath wrote:
> Is there a way to reliably identify a tinc TCP connection using
> iptables?
The best way is to look at the first line of data that is sent, which is always
in the form:

0 <nodename> 17

Or with tinc 1.1:

0 <nodename> 17.X

(where X is another number).

You could check just for the two bytes "0 " at the very beginning,
although
that might give a false match with other protocols.
> Looking at the iptables documentation, the u32 test seems to be very
> flexible (though the "language" of the tests pretty unreadable):
Yes, that can be used to match the "0 ", and maybe even check that the
highest
bit in the next two bytes is not set.
> The question is just, what do I have to look for? Ideally there'd be an
> easy way to recognize every tinc packet, but matching just one specific
> packet that's sent early on would probably work as well when combined
> with the netfilter connection marker.
Unfortunately after the initial authentication phase, everything is encrypted,
so there is nothing left that can identify those packets as being from tinc.

If you are running tinc on the same machine as where you are doing the
firewalling, you might also be able to match packets based on the user or group
id of the process that is responsible for generating those packets. There might
also be a way to change tinc so it sets a firewall mark on its sockets, which
can then in turn be used by iptables.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20130831/97dbedcf/attachment.sig>