Open burbilog opened 3 years ago
Handsome1080P
commented
2 years ago In fact, Udp2raw need to stop packages into Linux kernel so need to Drop the port in filter tables.So u can use DNAT forward the Udp2raw port to another port which have run a real tcp service.Just try.
burbilog
commented
2 years ago In fact, Udp2raw need to stop packages into Linux kernel so need to Drop the port in filter tables.So u can use DNAT forward the Udp2raw port to another port which have run a real tcp service.Just try.
Can you be more specific?
My udp2raw is listening on 8443 port and SSL nginx is at 443 port, 172.16.172.115 is my VM ip address. I tried this DNAT rule, but it breaks udp2raw:
-A PREROUTING -i eth0 -p tcp --dport 8443 -j DNAT --to-destination 172.16.172.115:443With this rule I can point browser to https://172.16.172.115:8443 and it shows my SSL nginx page just fine. But udp2raw tunnel does not work with that rule. If I remove it from iptables then udp2raw works ok again and I can use my VPN.
Right now it's trivial to detect faketcp -- just try to telnet to "tcp" port and there is no response at all. Aggressive firewalls may try to use that to block such connections (I know that such filtering will break a lot of legitimate things, but some governments won't care about that). Here is an idea: add an option like --pass-through ip:port and send all unrecognized non-faketcp packets to that ip:port and send back responses.
It could work as transparent frontend for regular nginx or apache server, so anybody trying to investigate will see normal web page.