How to recognize tinc TCP connection with iptables

Nikolaus Rath Nikolaus at rath.org
Sat Aug 31 07:48:59 CEST 2013


Hello,

Is there a way to reliably identify a tinc TCP connection using
iptables?

Looking at the iptables documentation, the u32 test seems to be very
flexible (though the "language" of the tests pretty unreadable):

   u32
       U32  tests  whether quantities of up to 4 bytes extracted from a packet have specified val‐
       ues. The specification of what to extract is general enough to find data at  given  offsets
       from tcp headers or payloads.
[...]

       Example:

              TCP payload bytes 8-12 is any of 1, 2, 5 or 8

              First we test that the packet is a tcp packet (similar to ICMP).

              --u32 "6 & 0xFF = 6 && ...

              Next, test that it is not a fragment (same as above).

               ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8"

              0>>22&3C  as  above  computes the number of bytes in the IP header. @ makes this the
              new offset into the packet, which is the start of the TCP header. The length of  the
              TCP  header  (again  in 32 bit words) is the left half of byte 12 of the TCP header.
              The 12>>26&3C computes this length in bytes (similar to the IP header  before).  "@"
              makes  this  the new offset, which is the start of the TCP payload. Finally, 8 reads
              bytes 8-12 of the payload and = checks whether the result is any of 1, 2, 5 or 8.

              
The question is just, what do I have to look for? Ideally there'd be an
easy way to recognize every tinc packet, but matching just one specific
packet that's sent early on would probably work as well when combined
with the netfilter connection marker.



Thanks for this great piece of software!


   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C


More information about the tinc mailing list