Read packet from tun
bastien-roucaries opened this issue · comments
Hi,
Could be possible to read packet from tun device ?
The idea is to drop root privilege by using something like:
ip tuntap add dev fwknop0 mode tun user fwknop group fwknop
ip addr replace 192.168.20.1 dev fwknop0
iptables -t mangle -A PREROUTING -i wan -p TCP --dport 80 -j TEE --gateway 192.168.20.1
then reading the tun device fwknop0 we could get the packet as a unprivilegied user
Moreover we could use --match hashlimit in order to limit the packet per second received by this interface hardening fwknop
I could implement it if needed
Could be simple using forward (no need to use tee)
ip tuntap add dev fwknop0 mode tun user fwknop group fwknop
ip addr replace 192.168.2.1 dev fwknop0
ip link set fwknop0 up
ip route add 192.168.2.0/24 dev fwknop0
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -j ACCEPT
For BSD dup-to rule will work to tun