tcpcryptで動作するようにiptablesを構成する方法は？

Question

背景

OS：VirtualBoxで実行されているUbuntu 16.04 x64

私はUbuntu/Linuxの最低限の知識を持つ開発者であり、特定のエンドポイントと通信するときに tcpcrypt を利用することが目標であるプロジェクトに割り当てられています。

tcpcryptには、encrpt/decryptのためにパケットをtcpcryptにルーティングするためにiptablesに必要なエントリを設定するシェルスクリプトが付属しています。このスクリプトの実行後、iptablesは次のようになります。

フィルター

Chain INPUT (policy ACCEPT 4 packets, 552 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- lo any anywhere anywhere tcp dpt:65530 tos match0x22/0xff 0 0 NFQUEUE tcp -- any any !localhost anywhere tcp dpt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN NFQUEUE num 666 0 0 NFQUEUE tcp -- any any anywhere anywhere multiport sports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes) pkts bytes target prot opt in out source destination 0 0 NFQUEUE tcp -- any any anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666 0 0 NFQUEUE tcp -- any any anywhere anywhere tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666

nat

Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s owner UID match tcpcryptd REDIRECT tcp -- anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530

マングル

Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination TOS all -- anywhere anywhere tos match0x04/0xff TOS and 0x00

これらのエントリでは、everyパケットがtcpcryptがenc/decを選択するキューに置かれます。

UPDATE

これはiptablesのスクリプトです：

#!/bin/sh #DAEMON_USER DIVERT_PORT ONLY_PORTS OMIT_PORTS # determine which operation is requested (Append or Delete) if [ "$1" = "start" -o -z "$1" ]; then # during startup, bail early if any of these commands fails set -e OP="-A" Elif [ "$1" = "stop" -o "$1" = "-f" ] ; then OP="-D" else echo "Expected \"start\" or \"stop\" as first argument" >&2 exit 1 fi # determine which ports should be tcpcrypt-enabled if [ -z "$ONLY_PORTS" -a -z "$OMIT_PORTS" ] ; then echo "Expected either OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2 exit 1 fi if [ -n "$ONLY_PORTS" -a -n "$OMIT_PORTS" ] ; then echo "Expected only one of OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2 exit 1 fi if [ -n "$OMIT_PORTS" ] ; then PORT_TEST=! PORTS="$OMIT_PORTS" fi if [ -n "$ONLY_PORTS" ] ; then PORT_TEST= PORTS="$ONLY_PORTS" fi # more necessary configuration if [ -z "$DAEMON_USER" ] ; then echo "Expected DAEMON_USER environment variable to be set" >&2 exit 1 fi if [ -z "$DIVERT_PORT" ] ; then echo "Expected DIVERT_PORT environment variable to be set" >&2 exit 1 fi # some shorthand to make rules more concise from_enabled_port="-m multiport $PORT_TEST --source-ports $PORTS" to_enabled_port="-m multiport $PORT_TEST --destination-ports $PORTS" NFQUEUE="NFQUEUE --queue-num $DIVERT_PORT" CRYPT_PORT="65530" REDIRECT="REDIRECT --to-port $CRYPT_PORT" INJECT_TOS="0x22" HANDSHAKE_TOS="0x04" filter="$ECHO iptables -t filter $OP" # Injection from daemon: Accept $filter INPUT -i lo -p tcp --dport $CRYPT_PORT \ -m tos --tos $INJECT_TOS \ -j ACCEPT # SYN redirected to daemon: # Queue for daemon to initiate proxy connection with original destination $filter INPUT -p tcp --dport $CRYPT_PORT --tcp-flags ALL SYN \ -j $NFQUEUE # SYN+ACK on proxy connection: # Queue for daemon to complete original handshake $filter INPUT -p tcp $from_enabled_port --tcp-flags ALL SYN,ACK \ -j $NFQUEUE # Handshake packet of proxy connection from daemon: # Queue for daemon to set tcp options via DIVERT_MODIFY $filter OUTPUT -p tcp $to_enabled_port \ -m tos --tos $HANDSHAKE_TOS \ -m owner --uid-owner $DAEMON_USER \ -j $NFQUEUE # SYN+ACK on redirected connection: # Queue for daemon to delay handshake until proxy connection succeeds $filter OUTPUT -p tcp --sport $CRYPT_PORT --tcp-flags ALL SYN,ACK \ -j $NFQUEUE nat="$ECHO iptables -t nat $OP" # Inbound connection for enabled ports: # Redirect to daemon (at localhost:$CRYPT_PORT) for encryption # # (The nat module will now translate addresses in both directions, # for the lifetime of this connection.) $nat PREROUTING -p tcp $to_enabled_port \ -j $REDIRECT # Proxy connection from daemon to enabled port: Accept $nat OUTPUT -p tcp $to_enabled_port \ -m owner --uid-owner $DAEMON_USER \ -j ACCEPT # Outbound connections to enabled ports on remote hosts: # Redirect to daemon (at localhost port $CRYPT_PORT) for encryption # # (The nat module will now translate addresses in both directions, # for the lifetime of this connection.) $nat OUTPUT \! -o lo -p tcp $to_enabled_port \ -j $REDIRECT mangle="$ECHO iptables -t mangle $OP" # Packets leaving the machine with bookkeeping mark: Remove mark $mangle POSTROUTING -m tos --tos $HANDSHAKE_TOS \ -j TOS --set-tos 0x00

質問

iptablesをcurrent（上記を参照）エントリで変更して、次の制限を達成するにはどうすればよいですか。

特定の宛先を持つパケットのみをtcpcryptのキューに入れる必要があります。
他のすべてのパケットはtcpcryptのキューに入れられるべきではなく、自由に移動する必要があります。

私が試したこと

A）希望するIPアドレスをOUTPUTチェーンのTCP宛先に追加しようとしました。

Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes) pkts bytes target prot opt in out source destination 0 0 NFQUEUE tcp -- any any anywhere XXX.XXX.XXX.XXX multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666 0 0 NFQUEUE tcp -- any any anywhere XXX.XXX.XXX.XXX tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666

B）NATルールに送信元と送信先のパラメーターを追加しようとしました：

target prot opt source destination REDIRECT tcp -- XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530

ただし、宛先アドレスに関係なく、すべてのパケットは引き続きtcpcryptに送信されます。

raidensan · Accepted Answer

メソッドB）に基づいた有効なソリューションを見つけました。

natテーブルのPREROUTINGチェーン上の着信パケットの場合、以下のようにフィルタリングしようとしました

$nat PREROUTING -p tcp -s XXX.XXX.XXX.XXX $to_enabled_port \ -j $REDIRECT

ここで、-sオプションとIP値は-p tcpの後です。それから私はそれを

$nat PREROUTING -s XXX.XXX.XXX.XXX -p tcp $to_enabled_port \ -j $REDIRECT

この変更と、それに応じてOUTPUTのnatチェーンを変更することで、望ましい結果が得られました。

興味深いことに、iptables -t nat --line-numbers -L -nvの出力は、上記のコマンドのいずれでもまったく同じに見えます。それでも、2番目のものだけが私の制限に従って結果をもたらします。

ここはiptables.shの修正バージョンで、1つ以上のIPを指定してtcpcryptを制限できます。

以下のFILTER_IPを参照してください。

#!/bin/sh #DAEMON_USER DIVERT_PORT ONLY_PORTS OMIT_PORTS # determine which operation is requested (Append or Delete) if [ "$1" = "start" -o -z "$1" ]; then # during startup, bail early if any of these commands fails set -e OP="-A" Elif [ "$1" = "stop" -o "$1" = "-f" ] ; then OP="-D" else echo "Expected \"start\" or \"stop\" as first argument" >&2 exit 1 fi # determine which ports should be tcpcrypt-enabled if [ -z "$ONLY_PORTS" -a -z "$OMIT_PORTS" ] ; then echo "Expected either OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2 exit 1 fi if [ -n "$ONLY_PORTS" -a -n "$OMIT_PORTS" ] ; then echo "Expected only one of OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2 exit 1 fi if [ -n "$OMIT_PORTS" ] ; then PORT_TEST=! PORTS="$OMIT_PORTS" fi if [ -n "$ONLY_PORTS" ] ; then PORT_TEST= PORTS="$ONLY_PORTS" fi # more necessary configuration if [ -z "$DAEMON_USER" ] ; then echo "Expected DAEMON_USER environment variable to be set" >&2 exit 1 fi if [ -z "$DIVERT_PORT" ] ; then echo "Expected DIVERT_PORT environment variable to be set" >&2 exit 1 fi # some shorthand to make rules more concise from_enabled_port="-m multiport $PORT_TEST --source-ports $PORTS" to_enabled_port="-m multiport $PORT_TEST --destination-ports $PORTS" NFQUEUE="NFQUEUE --queue-num $DIVERT_PORT" CRYPT_PORT="65530" REDIRECT="REDIRECT --to-port $CRYPT_PORT" INJECT_TOS="0x22" HANDSHAKE_TOS="0x04" # You can specify multiple IPs, or a IP range accrding to required format # For example, restricting tcpcrypt to 192.192.192.192 and 127.127.127.127 # FILTER_IP="192.192.192.192,127.127.127.127" # See iptables manpage for more info FILTER_IP="XXX.XXX.XXX.XXX" filter="$ECHO iptables -t filter $OP" # Injection from daemon: Accept $filter INPUT -i lo -p tcp --dport $CRYPT_PORT \ -m tos --tos $INJECT_TOS \ -j ACCEPT # SYN redirected to daemon: # Queue for daemon to initiate proxy connection with original destination $filter INPUT -p tcp --dport $CRYPT_PORT --tcp-flags ALL SYN \ -j $NFQUEUE # SYN+ACK on proxy connection: # Queue for daemon to complete original handshake $filter INPUT -p tcp $from_enabled_port --tcp-flags ALL SYN,ACK \ -j $NFQUEUE # Handshake packet of proxy connection from daemon: # Queue for daemon to set tcp options via DIVERT_MODIFY $filter OUTPUT -p tcp $to_enabled_port \ -m tos --tos $HANDSHAKE_TOS \ -m owner --uid-owner $DAEMON_USER \ -j $NFQUEUE # SYN+ACK on redirected connection: # Queue for daemon to delay handshake until proxy connection succeeds $filter OUTPUT -p tcp --sport $CRYPT_PORT --tcp-flags ALL SYN,ACK \ -j $NFQUEUE nat="$ECHO iptables -t nat $OP" # Inbound connection for enabled ports: # Redirect to daemon (at localhost:$CRYPT_PORT) for encryption # # (The nat module will now translate addresses in both directions, # for the lifetime of this connection.) $nat PREROUTING -s $FILTER_IP -p tcp $to_enabled_port \ -j $REDIRECT # Proxy connection from daemon to enabled port: Accept $nat OUTPUT -p tcp $to_enabled_port \ -m owner --uid-owner $DAEMON_USER \ -j ACCEPT # Outbound connections to enabled ports on remote hosts: # Redirect to daemon (at localhost port $CRYPT_PORT) for encryption # # (The nat module will now translate addresses in both directions, # for the lifetime of this connection.) $nat OUTPUT -d $FILTER_IP \! -o lo -p tcp $to_enabled_port \ -j $REDIRECT mangle="$ECHO iptables -t mangle $OP" # Packets leaving the machine with bookkeeping mark: Remove mark $mangle POSTROUTING -m tos --tos $HANDSHAKE_TOS \ -j TOS --set-tos 0x00