Read packet from tun

Question

Read packet from tun

bastien-roucaries opened this issue 4 years ago · comments

Hi,

Could be possible to read packet from tun device ?

The idea is to drop root privilege by using something like:
ip tuntap add dev fwknop0 mode tun user fwknop group fwknop
ip addr replace 192.168.20.1 dev fwknop0
iptables -t mangle -A PREROUTING -i wan -p TCP --dport 80 -j TEE --gateway 192.168.20.1

then reading the tun device fwknop0 we could get the packet as a unprivilegied user

Moreover we could use --match hashlimit in order to limit the packet per second received by this interface hardening fwknop

I could implement it if needed

bastien-roucaries · Answer 1 · Sun Apr 05 2020 03:39:28 GMT+0800 (China Standard Time)

Could be simple using forward (no need to use tee)
ip tuntap add dev fwknop0 mode tun user fwknop group fwknop
ip addr replace 192.168.2.1 dev fwknop0
ip link set fwknop0 up
ip route add 192.168.2.0/24 dev fwknop0
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 80 -j ACCEPT

bastien-roucaries · Answer 2 · Mon Apr 13 2020 00:33:29 GMT+0800 (China Standard Time)

For BSD dup-to rule will work to tun