search

mrash / fwknop

Single Packet Authorization > Port Knocking
http://www.cipherdyne.org/fwknop/
GNU General Public License v2.0
1.13k stars 232 forks source link

Read packet from tun #310

Open bastien-roucaries opened 4 years ago

bastien-roucaries commented 4 years ago

Hi,

Could be possible to read packet from tun device ?

The idea is to drop root privilege by using something like: ip tuntap add dev fwknop0 mode tun user fwknop group fwknop ip addr replace 192.168.20.1 dev fwknop0 iptables -t mangle -A PREROUTING -i wan -p TCP --dport 80 -j TEE --gateway 192.168.20.1

then reading the tun device fwknop0 we could get the packet as a unprivilegied user

Moreover we could use --match hashlimit in order to limit the packet per second received by this interface hardening fwknop

I could implement it if needed

bastien-roucaries commented 4 years ago

Could be simple using forward (no need to use tee) ip tuntap add dev fwknop0 mode tun user fwknop group fwknop ip addr replace 192.168.2.1 dev fwknop0 ip link set fwknop0 up ip route add 192.168.2.0/24 dev fwknop0 iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -j ACCEPT

bastien-roucaries commented 4 years ago

For BSD dup-to rule will work to tun