code icon indicating copy to clipboard operation
code copied to clipboard

Published 20 hours ago verified publisher icon rust-in-action

ch8-mget: Add iptables rules to workaround default DROP rules

Open MarcioJales opened this issue 2 years ago • 2 comments

Hi!

The project of "ch8-mget" wasn't working for me. Basically, the process was hanging on the SYN_SENT TCP connection state. After some investigation, I've found 2 rules that the official documentation suggests adding for some distros: https://github.com/smoltcp-rs/smoltcp#hosted-usage-examples

I'm using Linux Mint 20.2 Cinnamon, 5.0.7, kernel 5.4.0-137-generic. After these rules were added, execution has worked as expected.

Many thanks!

MarcioJales avatar Jan 22 '23 22:01 MarcioJales

Golden.Thanks a lot. I came looking to fix this exact problem and this works like a charm

0xcrust avatar Feb 19 '23 20:02 0xcrust

after next script for tap-rust creation:

set +x

# to create TAP device
sudo \
    ip tuntap \
        add \
        mode tap \
        name tap-rust \
        user $USER

# to confirm that tap-rust device was added
# ip tuntap list

# allocate IP address for TAP and tell system to forward packets to it

# establish a network device called tap-rust and activates it
sudo ip link set tap-rust up

# assigns the IP address 192.168.42.100 to the device
sudo ip addr add 192.168.42.100/24 dev tap-rust

# enables internet packets to reach the source IP address mask (-s 192.168.42.100/24)
# by appending a rule (-A POSTROUTING)  that dynamically maps IP addresses to a device 
# (-j MASQUERADE)
sudo iptables \
    -t nat\
    -A POSTROUTING \
    -s 192.168.42.0/24 \
    -j MASQUERADE

# instructs the kernel to enable IPv4 packet forwarding
sudo sysctl net.ipv4.ip_forward=1

# Some distros have a default policy of DROP. This allows the traffic.
sudo iptables -A FORWARD -i tap-rust -s 192.168.42.100/24 -j ACCEPT
sudo iptables -A FORWARD -o tap-rust -d 192.168.42.100/24 -j ACCEPT

And additional logging to console, I was able to get: HTTP/1.0 301 Moved Permanently response Log:

cargo run -- "http://www.rustinaction.com" tap-rust

    Finished dev [unoptimized + debuginfo] target(s) in 0.04s
warning: the following packages contain code that will be rejected by a future version of Rust: smoltcp v0.6.0
note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 1`
     Running `target/debug/ch8-mget 'http://www.rustinaction.com' tap-rust`
ip address response from 1.1.1.1 dns: 35.185.44.232
mac address 8e-79-0c-6d-09-2a
polling, current state: Connect
error: Malformed
socket: is_active: false, may_send: false, can_recv: false, may_recv: false
connecting
polling, current state: Request
error: Malformed
socket: is_active: true, may_send: false, can_recv: false, may_recv: false
polling, current state: Request
socket: is_active: true, may_send: false, can_recv: false, may_recv: false
polling, current state: Request
socket: is_active: true, may_send: false, can_recv: false, may_recv: false
polling, current state: Request
socket: is_active: true, may_send: false, can_recv: false, may_recv: false
polling, current state: Request
socket: is_active: true, may_send: false, can_recv: false, may_recv: false
polling, current state: Request
error: Malformed
socket: is_active: true, may_send: false, can_recv: false, may_recv: false
polling, current state: Request
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
sending request
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: true, may_recv: true
HTTP/1.0 301 Moved Permanently
content-type: text/html; charset=utf-8
location: https://www.rustinaction.com/
permissions-policy: interest-cohort=()
vary: Origin
date: Fri, 30 Jun 2023 15:21:35 GMT
content-length: 64

<a href="https://www.rustinaction.com/">Moved Permanently</a>.


polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
Unrecognized
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
Unrecognized
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
Unrecognized
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
Unrecognized
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: true
polling, current state: Response
socket: is_active: true, may_send: true, can_recv: false, may_recv: false
received complete response

igavrysh avatar Jun 30 '23 15:06 igavrysh