From 35ea3c7f635fc727cdeda8acf84a96fa8b8fac6a Mon Sep 17 00:00:00 2001 From: Andrea Bittau Date: Sun, 21 Feb 2016 11:03:33 -0800 Subject: [PATCH] simplify instructions --- INSTALL-Linux.markdown | 101 +---------------------------------------- README.markdown | 17 ++----- 2 files changed, 4 insertions(+), 114 deletions(-) diff --git a/INSTALL-Linux.markdown b/INSTALL-Linux.markdown index ca3111c..86017de 100644 --- a/INSTALL-Linux.markdown +++ b/INSTALL-Linux.markdown @@ -86,103 +86,4 @@ iptables firewall setup ======================= The included `launch_tcpcryptd.sh` script adds iptable rules to divert all TCP -traffic -- *except* that which is already encrypted, like SSH -- to tcpcryptd. -Read on only for more complex firewall setups. - -The naive way to use tcpcryptd: - - iptables -A OUTPUT -p tcp -j NFQUEUE --queue-num 666 - iptables -A INPUT -p tcp -j NFQUEUE --queue-num 666 - -This will apply tcpcrypt to all locally destined (or generated) TCP packets. -This will work, but you'll run into problems #1 and #2, which may not be -problems if you don't have a firewall or nat setup. - -For testing on your local machine, you can restrict tcpcrypt to the loopback interface: - - iptables -A OUTPUT -p tcp -o lo -j NFQUEUE --queue-num 666 - iptables -A INPUT -p tcp -i lo -j NFQUEUE --queue-num 666 - -Or, to run tcpcrypt only on port 80, use this (taken from launch_tcpcryptd.sh): - - iptables -A OUTPUT -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 666 - iptables -A INPUT -p tcp -m tcp --sport 80 -j NFQUEUE --queue-num 666 - -To restore your iptables rules to their previous state, you can remove rules by -replacing `-A` (append) with `-D` (delete) in the above commands. - -The following instructions apply to using tcpcrypt on firewall/gateway boxes. - -Linux firewall setup is more challenging than on FreeBSD for two reasons. - - 1. In FreeBSD, after a packet is diverted, the divert daemon can drop the - packet, or accept it. In the latter case, firewall processing continues - from the next rule. So basically natd will get a chance to run, and other - firewall rules. It's a pipeline. On Linux, you can either accept or drop - the packet, which ignores the rest of the firewall. - - 2. In FreeBSD, you can easily order tcpcryptd, then natd, because they're - both in userland, and both use divert, and the whole firewall is a - pipeline. On Linux natd is IP connection tracking in the kernel, which is - used for stateful firewalls too. We gotta make tcpcryptd run BEFORE - conntrack. - -To make tcpcrypt work the "proper" way, making sure that nat and stateful -firewalls (e.g., -m state --state ESTABLISHED) work: - - iptables -t raw -A PREROUTING -p tcp -j NFQUEUE --queue-num 666 - iptables -t mangle -A POSTROUTING -p tcp -j NFQUEUE --queue-num 666 - -This will apply tcpcrypt to all TCP packets entering and exiting the box, -including forwarded packets. Note that this setup will respect firewall -rules in other tables but terminate those in the raw and mangle tables. In -short, your firewall rules in the filter table and nat table (those that you -probably care about most) will work. You'll get caught by problem #1 though. - -To make tcpcrypt work the elite way, making sure that all firewall rules are -obeyed and conntrack isn't confused: - - iptables -t raw -N tcpcrypt - iptables -t raw -A tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 - iptables -t raw -I PREROUTING -j tcpcrypt - - iptables -t mangle -N tcpcrypt - iptables -t mangle -A tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 - iptables -t mangle -I POSTROUTING -j tcpcrypt - -And launch `tcpcryptd` with `-x 0x10` - -This example is like before, but will create a chain with only the tcpcrypt -rule, which will run only if a packet is unmarked. When tcpcryptd needs to -accept a packet, rather than passing a verdict of ACCEPT, which terminates -all rule processing, it will pass a verdict of REPEAT, which restarts -processing at the current chain. To avoid loops, it will also mark the -packet so that the rule to divert will be matched only once. Effectively the -first time round real work will be done, and the second time round we -"return" to process the other rules. - -Note that you can make tcpcryptd work transparently on forwarded traffic, and -even in conjunction with NAT. You can pretend that the Internet is -tcpcrypted. Lets say eth0 is your LAN. You can do something like: - -[create the tcpcrypt chains as explained earlier.] - - iptables -t raw -A PREROUTING -i eth0 -j tcpcrypt - iptables -t mangle -A POSTROUTING -o eth0 -j tcpcrypt - -tcpcryptd will see all incoming traffic from eth0 and make it look like -standard TCP to the outside world, and will then tcpcrypt all the responses -coming back to eth0. There's one caveat though when using it in conjunction -with NAT (conntrack). tcpcryptd forges a packet (the INIT2) and this -confuses conntrack as it thinks it's a new connection and it changes the -source port. You therefore need to add: - - iptables -t raw -A OUTPUT -o eth0 -j NOTRACK - -i.e., all locally generated traffic (the forged packet from tcpcryptd) should -not be natted. In fact I don't even know why it is being natted (maybe a -bug). Of course you need to setup nat with something like: - - iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4 - -where eth1 is your Internet interface and 1.2.3.4 your Internet static IP. +traffic port 80 to tcpcryptd. See src/iptables.sh for details. diff --git a/README.markdown b/README.markdown index e9ddd17..e718021 100644 --- a/README.markdown +++ b/README.markdown @@ -23,9 +23,9 @@ Installing tcpcrypt sudo ./launch_tcpcryptd.sh The launch script starts tcpcryptd and adds firewall rules to divert all TCP -traffic -- *except* that which is already encrypted, like SSH -- to tcpcryptd. -When the script exits (on Ctrl-C or `kill`), it restores your firewall config -to its former state -- *no permanent changes are made*. +traffic on port 80 to tcpcryptd. When the script exits (on Ctrl-C or `kill`), +it restores your firewall config to its former state -- *no permanent changes +are made*. On Linux, you must first install libnfnetlink, libnetfilter_queue, and libcap. @@ -48,17 +48,6 @@ reloading the URL above. Compare this tcpdump output, which appears encrypted (or at least unreadable), with the cleartext packets you would see without tcpcryptd running. -A final netcat example: - - sudo ./launch_tcpcryptd.sh & - nc -l 7777 & - sudo tcpdump -i lo -n -s0 -vvvv -X tcp port 7777 & - echo hello, world! | nc localhost 7777 - - # clean up - sudo killall tcpcryptd tcpdump - - Troubleshooting ---------------