fwknop icon indicating copy to clipboard operation
fwknop copied to clipboard
verified publisher icon mrash

Read packet from tun

Open bastien-roucaries opened this issue 5 years ago • 2 comments

Hi,

Could be possible to read packet from tun device ?

The idea is to drop root privilege by using something like: ip tuntap add dev fwknop0 mode tun user fwknop group fwknop ip addr replace 192.168.20.1 dev fwknop0 iptables -t mangle -A PREROUTING -i wan -p TCP --dport 80 -j TEE --gateway 192.168.20.1

then reading the tun device fwknop0 we could get the packet as a unprivilegied user

Moreover we could use --match hashlimit in order to limit the packet per second received by this interface hardening fwknop

I could implement it if needed

bastien-roucaries avatar Apr 04 '20 16:04 bastien-roucaries

Could be simple using forward (no need to use tee) ip tuntap add dev fwknop0 mode tun user fwknop group fwknop ip addr replace 192.168.2.1 dev fwknop0 ip link set fwknop0 up ip route add 192.168.2.0/24 dev fwknop0 iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -j ACCEPT

bastien-roucaries avatar Apr 04 '20 19:04 bastien-roucaries

For BSD dup-to rule will work to tun

bastien-roucaries avatar Apr 12 '20 16:04 bastien-roucaries