Piratpartiets mötesplattform


< DöljPiratpartiets vårmöte 2016
Mötesklocka   
Svara
 
Ämnesverktyg Sök i det här ämnet Visningsalternativ
  (#1) Gammal
tephlon Inte uppkopplad
 
Inlägg: 18
Reg.datum: Jun 2006
Standard Relakks and the Linux command line - 2006-11-08, 00:59

Hello,<br>
<br>
First, I have to apologize for this extremely long post. I guess it"s more of a wiki type text, but I believe this is the most appropriate place to post it.<br>
<br>
For some time I"ve been struggling with getting Relakks to work on Linux. I started by following the Relakks FAQ and looked into pptpclient and pptpconfig, but I wasn"t too eager to try and install pptpconfig with all its odd dependencies. I found out about kvpnc, but couldn"t get that to work properly. So, I"ve been scouring the Internet to find some kind of command line guide, since I use Arch Linux which is a comparatively small distro, and therefore need a distribution-independent guide. Of course, I couldn"t find any answers, only questions.<br>
<br>
After realizing that pptpclient set up the wrong routes and having some odd issues with filling my logs with "Protocol-Reject for unsupported protocol" (eventually seeing that it was the Relakks server and not me) I have succeeded quite well. With the perpetual "We will publish a guide shortly" on the Relakks FAQ I thought I should make a post here on my ventures - in English, to reach as many as possible. I don"t know if its a guide as much as a this-is-how-I-got-it-working post, you be the judge of that. I know that some things I write aren"t 100% accurate, please correct me in those cases. Anyway, this setup works for me, and I see no reason why it shouldn"t for most people.<br>
<br>
Let me just first mention that I sit behind a switch (actually my modem, which is a switch too). My LAN network range is 192.168.0.0/24, i.e. 192.168.0.0-255, and my default gateway, i.e. my switch, is 192.168.0.1. My computer"s network interface is eth0. When setting up the PPTP connection, pptpclient uses the ppp0 interface. Of course, both eth0 and ppp0 may be named otherwise on other systems. Use ifconfig to find out what they are called (it is not lo ) and adapt the stuff below to the correct interface names.<br>
<br>
Now, first we need to install pptpclient and ppp. These should be available on most distros (I hope); I will not guide you through an install here. Anyway, once they are installed, we need to make a configuration for the Relakks account.<br>
<br>
My configuration files for ppp and pptpclient resides in /etc/ppp. Per default, Arch Linux" ppp package contains the following configuration files:<br>
Citat:
/etc/ppp/chap-secrets<br>
/etc/ppp/ip-down<br>
/etc/ppp/ip-up<br>
/etc/ppp/options<br>
/etc/ppp/pap-secrets<br>
/etc/ppp/peers/<br>
<br>
The pptpclient package contains the following single configuration file:<br>
Citat:
/etc/ppp/options.pptp<br>
<br>
<br>
The files interesting for us are options.pptp and chap-secrets. In options.pptp I have the following options set:<br>
Citat:
<code>lock<br>
noauth<br>
refuse-eap<br>
refuse-chap<br>
refuse-mschap<br>
nobsdcomp<br>
nodeflate<br>
</code>
<br>
The chap-secrets file contains the following:<br>
Citat:
<code>USERNAME Relakks PASSWORD *<br>
</code>
<br>
where USERNAME of course is not my real username and PASSWORD of course is not my real password. Anyway, here you use your Relakks account information. Don"t let everyone read it; chmod 600 /etc/ppp/chap-secrets. <br>
<br>
Next, we have to create a file, namely /etc/ppp/peers/Relakks. You can name it whatever you like, maybe /etc/ppp/peers/aardvark, but that wouldn"t be very descriptive. This file has the following content:<br>
Citat:
<code>remotename Relakks<br>
linkname Relakks<br>
ipparam Relakks<br>
pty "pptp pptp.relakks.com --nolaunchpppd"<br>
name USERNAME<br>
usepeerdns<br>
require-mppe-128<br>
refuse-eap<br>
noauth<br>
file /etc/ppp/options.pptp<br>
</code>
<br>
Replace USERNAME with your Relakks username. I guess the refuse-eap line is pretty unnecessary here, since that option already is set in /etc/ppp/options.pptp. Very well, try without it if you like. <br>
<br>
Now the configuration is done. Well, except for the firewall. As the vast majority of the Linux-users, I use iptables. And, since this is the command line guide to Relakks, let"s do it command line <br>
<br>
We need to allow for GRE packets, since these are the packets containing the encrypted traffic to the Relakks servers. GRE, General Routing Encapsulation, is protocol number 47. It is enough to allow ingress (incoming, that is) ESTABLISHED GRE packets, and egress (outgoing) NEW and ESTABLISHED packets. So, issue the following two commands:<br>
Citat:
iptables -I INPUT -i eth0 -p 47 -m state --state ESTABLISHED -j ACCEPT<br>
iptables -I OUTPUT -o eth0 -p 47 -m state --state NEW,ESTABLISHED -j ACCEPT<br>
<br>
We also need to connect to the Relakks servers and authenticate with our account information. This requires egress access to port 1723. A simple firewall already allows this, but if you have tightened up your system you may have to issue the following:<br>
Citat:
<code>iptables -I INPUT -i eth0 -p tcp --sport 1723 -m state --state ESTABLISHED -j ACCEPT<br>
iptables -I OUTPUT -o eth0 -p tcp --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT<br>
</code>
<br>
The above four rules are the ones needed to communicate with the Relakks server only. Rules in your standard iptables firewall ruleset specifically written for eth0 will almost certainly need to be adapted to use ppp0 instead of eth0. Myself, I have taken the easy way out and specified all these rules to match "! lo" instead of eth0. That way my firewall rules will match whatever interface I"ll ever use.<br>
<br>
If you use a router or switch you have to make sure it is forwarding the GRE packets and lets through packets for TCP port 1723. I"m pretty sure only the GRE packet forwarding is an issue, since you only want to connect to TCP port 1723 outwards; you connect to the Relakks servers, the Relakks servers do not connect to you.<br>
<br>
So, now everything is set up for the launch. T minus 1 second.<br>
<br>
Issue the following command: <br>
Citat:
<code>pon Relakks <br>
</code>
<br>
If you named the file /etc/ppp/peers/aardvark instead of /etc/ppp/peers/Relakks, then issue pon aardvark <br>
<br>
Here it is a good idea to follow the output in /var/log/daemon (tail -f /var/log/daemon) or wherever pptpclient logs stuff on your system. /var/log/messages should contain these log messages, so this could also be used, although a lot of other stuff is logged there too. You will see messages such as this (I"ve removed the timestamps and hostname to save space):<br>
Citat:
<code>pppd 2.4.4 started by root, uid 0<br>
pppd[11098]: Using interface ppp0<br>
pppd[11098]: Connect: ppp0 <--> /dev/pts/4<br>
pptp[11100]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated<br>
pptp[11103]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 "Start-Control-Connection-Request"<br>
pptp[11103]: anon log[ctrlp_disp:pptp_ctrl.c:738]: Received Start Control Connection Reply<br>
pptp[11103]: anon log[ctrlp_disp:pptp_ctrl.c:772]: Client connection established.<br>
pptp[11103]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 "Outgoing-Call-Request"<br>
pptp[11103]: anon log[ctrlp_disp:pptp_ctrl.c:857]: Received Outgoing Call Reply.<br>
pptp[11103]: anon log[ctrlp_disp:pptp_ctrl.c:896]: Outgoing call established (call ID 0, peer"s call ID 34252).<br>
</code>
<br>
If all goes well you"ll see the following lines:<br>
Citat:
<code>pppd[11098]: CHAP authentication succeeded <br>
pppd[11098]: MPPE 128-bit stateless compression enabled<br>
pppd[11098]: local IP address LOCAL_PPTP_IP<br>
pppd[11098]: remote IP address REMOTE_PPTP_IP<br>
pppd[11098]: primary DNS address DNS_SERVER_1<br>
pppd[11098]: secondary DNS address DNS_SERVER_2<br>
</code>
<br>
At this point you have gotten a new network interface, which you can look at by issuing ifconfig. It is probably ppp0. LOCAL_PPTP_IP is the IP address assigned to ppp0, and REMOTE_PPTP_IP is the point-to-point endpoint. DNS_SERVER_1 and DNS_SERVER_2 are of course the DNS servers on the Relakks network.<br>
<br>
Now, let"s go deeper, and talk about routes. If you"re too slow at this point, when the connection is established, it may die. As the ppp0 interface is created, a route for its IP address is also created. However, this route points to ppp0, which makes it pretty useless, since the packets don"t know where to go from there. <br>
<br>
When I"m not using Relakks, my routing table looks like this (route -n):<br>
Citat:
<pre>Kernel IP routing table<br/>Destination Gateway Genmask Flags Metric Ref Use Iface<br/>192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br/>0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0</pre>
<br>
When pptpclient is finished it looks like this:<br>
Citat:
<pre>Kernel IP routing table<br/>Destination Gateway Genmask Flags Metric Ref Use Iface<br/>REMOTE_PPTP_IP * 255.255.255.255 UH 0 0 0 ppp0<br/>192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br/>0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0</pre>
<br>
The first route there is the faulty one. So, we have to remove it and set up our own routes; issue the following, preferably in a script:<br>
Citat:
<pre>#!/bin/sh<br/><br/>IFACE=eth0<br/>TUNFACE=ppp0<br/>REMOTE=REMOTE_PPTP_IP<br/>GATEWAY=YOUR_DEFAULT_GATEWAY<br/><br/># Add routes to pptp.relakks.com and point-to-point endpoint:<br/>for RELAKKSHOST in $(host pptp.relakks.com | awk "{print $NF}") $REMOTE ; do<br/> route add -host $RELAKKSHOST/32 gw $GATEWAY dev $IFACE<br/>done<br/><br/># Add the default gateway:<br/>route add default $TUNFACE<br/><br/># Delete wrong routes:<br/>route del -host $REMOTE dev $TUNFACE<br/>route del default gw $GATEWAY dev $IFACE</pre>
<br>
This will make your routing table look like this:<br>
Citat:
<pre>Destination Gateway Genmask Flags Metric Ref Use Iface<br/>RELAKKS_SERVER_1 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0<br/>RELAKKS_SERVER_2 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0<br/>...<br/>RELAKKS_SERVER_N 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0<br/>REMOTE_PPTP_IP 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0<br/>192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br/>0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0</pre>
<br>
On your box, the gateway 192.168.0.1 should be replaced by your real default gateway. Also, if you are connected directly to the Internet, that is, you"re not on a LAN, you can skip the second last line.<br>
<br>
Like this, all traffic is routed to the ppp0 interface by default, except for the traffic which has to be outside the tunnel, i.e. the connection to the Relakks servers.<br>
<br>
Finally, pptpclient has written a resolv.conf file for you, which contains the new DNS servers for use on the Relakks network. It is probably located in the /etc/ppp directory; copy this over your old resolv.conf: cp /etc/ppp/resolv.conf /etc/resolv.conf. If you want to save the stuff in your non-Relakks resolv.conf file, please back it up.<br>
<br>
Okay then, you can now start Relakksing <br>
<br>
I have to mention one more thing. In the ppp package, there are most likely two scripts, ip-up and ip-down. These are executed after the PPTP connection is setup (pon Relakks) respectively when you disconnect from Relakks (poff Relakks). The purpose of these seems mostly to be to set up the routes correctly when the tunnel is set up and when it is taken down. I"ve never gotten these to work properly - they have never actually executed any of the commands they are supposed to; most likely some oversight on my part - so I"m only using them for reading the resulting point-to-point addresses and interface name, i.e. LOCAL_PPTP_IP, REMOTE_PPTP_IP and ppp0. However, you should be able to use these to do the routing table exercise I described above, and everything else necessary to setup the PPTP connection.<br>
<br>
Anyway, since I haven"t gotten these working, I"ve rewritten ip-up to simply write the PPTP connection parameters to the file /tmp/ip-up.conf for later use:<br>
Citat:
<code>#!/bin/sh<br>
<br>
cat > /tmp/ip-up.conf << EOF<br>
TUNFACE=$1<br>
DEVICE=$2<br>
SPEED=$3<br>
LOCAL=$4<br>
REMOTE=$5<br>
PARAM=$6<br>
EOF<br>
exit 0</code>
<br>
Then I have written a relakks script that sets everything up for me. I cannot post it in its entirety here, because of all the crap it contains (see the second part of this post, and you"ll understand ), but the gist is this:<br>
Citat:
<pre><br>
#!/bin/sh<br/><br/>IFACE=eth0<br/>GATEWAY=192.168.0.1<br/>TIMEOUT=30<br/><br/><br/>case "$1" in<br/> start)<br/> echo "Starting Relakks service..."<br/><br/> rm /tmp/ip-up.conf 2> /dev/null<br/><br/> #============================================================================<br/> # Adapt your firewall for Relakks. The following is most likely not enough;<br/> # you may also have to adapt your firewall to use the ppp0 interface, in case<br/> # you have rules specified for eth0.<br/> #----------------------------------------------------------------------------<br/> iptables -I INPUT -i $IFACE -p 47 -mstate --state ESTABLISHED -j ACCEPT<br/> iptables -I OUTPUT -o $IFACE -p 47 -m state --state NEW,ESTABLISHED -jACCEPT<br/><br/> iptables -I INPUT -i $IFACE -p tcp --sport 1723 -m state --state ESTABLISHED -j ACCEPT<br/> iptables -I OUTPUT -o $IFACE -p tcp --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT<br/> #----------------------------------------------------------------------------<br/><br/> #============================================================================<br/> # Start the pppd daemon, and create the /tmp/ip-up.conf file from the ip-up<br/> # script executed by pon.<br/> #----------------------------------------------------------------------------<br/> if ! pon Relakks ; then<br/> echo "Could not execute start the pppd daemon."<br/> exit 2<br/> fi<br/> #----------------------------------------------------------------------------<br/><br/> #============================================================================<br/> # Wait for the connection to the Relakks server to be established... We know<br/> # that the connection is successful when ip-up has created the<br/> # /tmp/ip-up.conf file.<br/> #----------------------------------------------------------------------------<br/> CYCLES=0<br/><br/> while [ ! -e /tmp/ip-up.conf ] ; do<br/> if [ $CYCLES -ge $TIMEOUT ] ; then<br/> echo "Timeout error when connecting to Relakks."<br/> exit 3<br/> fi<br/> sleep 1s<br/> CYCLES=$((CYCLES +1))<br/> done<br/> #----------------------------------------------------------------------------<br/><br/> #============================================================================<br/> # Set TUNFACE, DEVICE, SPEED,LOCAL, REMOTE, and PARAM as given from "pon":<br/> #----------------------------------------------------------------------------<br/> . /tmp/ip-up.conf<br/> rm /tmp/ip-up.conf<br/> #----------------------------------------------------------------------------<br/><br/> #============================================================================<br/> # Do the rerouting magic...<br/> #----------------------------------------------------------------------------<br/> # Add routes to pptp.relakks.com and point-to-point endpoint:<br/> for RELAKKSHOST in $(host pptp.relakks.com | awk "{print $NF}") $REMOTE ; do<br/> route add -host $RELAKKSHOST/32 gw $GATEWAY dev $IFACE<br/> done<br/><br/> # Add the default gateway:<br/> route add default $TUNFACE<br/><br/> # Delete wrong routes:<br/> route del -host $REMOTE dev $TUNFACE<br/> route del default gw $GATEWAY dev $IFACE<br/> #----------------------------------------------------------------------------<br/><br/> #============================================================================<br/> # Use the pptpclient DNS servers:<br/> #----------------------------------------------------------------------------<br/> cp /etc/resolv.conf /etc/resolv.conf.bak<br/> cp /etc/ppp/resolv.conf /etc/resolv.conf<br/> #----------------------------------------------------------------------------<br/><br/> ;;<br/><br/> stop)<br/> echo "Stopping Relakks service"<br/><br/> poff Relakks<br/><br/> #============================================================================<br/> # Here you ought to put commands that restart your network and your firewall<br/> # to get rid of all strange routes and go back to the default firewall. In<br/> # principle you should be able to let the ip-down script do this.<br/> #<br/> # In any case, I can"t tell you how to do this, since this is very <br/> # distribution-dependent.<br/> #============================================================================<br/><br/> cp /etc/resolv.conf.bak /etc/resolv.conf<br/><br/> ;;<br/><br/> restart)<br/> $0 stop<br/> sleep 1<br/> $0start<br/> ;;<br/><br/> *)<br/> echo "usage: $0 {start|stop|restart}"<br/>esac<br/><br/>exit 0<br/></pre>
<br>
<br>
Final note: If the connection dies, the ip-down script may very well reset the routes, so that all traffic goes through the eth0 interface. This is not good, so if you can live with writing your own script, you should remove (commenting out, deleting...) the lines doing this route resetting from the ip-down script, or - maybe even better - move them to your script. Another way is to set up the iptables firewall to only allow GRE packets and TCP port 1723 packets on eth0 (just like the above rules for this traffic), while the ppp0 iptables rules are set up to act as the "common" firewall.<br>
<br>
So, that was fun, wasn"t it If you"re happy with using Relakks for everything then you can stop reading now. However, if you"re interested in some funnier stuff, please read on. <br>
<br>
<br>
<br>
On some occasions one doesn"t want all traffic to be Relakksed. For instance, consider accessing an SSH account behind a particularly picky firewall, that only lets your usual IP address in and not the Relakks IP. But also, we might have the converse problem: what if we only want to use Relakks for some specific traffic?<br>
<br>
The solution to this problem is even more routing gymnastics. To even start solving this we have to make sure our firewall and kernel support some things. The most simple solution - I think - is to use the ROUTE target in iptables. However, apparently this was taken out of iptables at some point, so it is not widely available. Therefore I only say that I think this is the more simple solution; I haven"t tried it. So, we have to look for another solution. <br>
<br>
Yes, indeed there is another way. We can set up a second routing table with the aid of iproute2, and then use the mangle table in iptables to mark certain traffic that should be rerouted. To use this solution, we first have to install iproute2, of course. This should also be available on most distros. Second, we have to have three certain options enabled in the kernel, namely:<br>
Citat:
CONFIG_IP_ADVANCED_ROUTER <br>
CONFIG_IP_MULTIPLE_TABLES<br>
CONFIG_IP_ROUTE_FWMARK <br>
<br>
These should be compiled in in the kernel or as modules. How you do this is beyond the scope of this text, but it shouldn"t be too difficult.<br>
<br>
Now, let"s solve the first problem first: specifying certain traffic to go out the "normal" way (not through Relakks). Let"s take SSH traffic (TCP port 22) and DNS (TCP and UDP port 53) as an example. (Maybe DNS is a daft example, if one tries to anonymize and/or hide one"s activities...)<br>
<br>
To do this, you do all the exercise I described above, but you skip the the copying of the pptpclient resolv.conf over the old /etc/resolv.conf (depending on whether you want to do use the Relakks DNS servers of course). Next, you issue the following commands:<br>
Citat:
<code>iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1<br>
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 1<br>
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 1<br>
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 1<br>
iptables -t mangle -A PREROUTING -p tcp --dport 53 -j MARK --set-mark 1<br>
iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 1<br>
<br>
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to YOUR_eth0_IP_ADDRESS<br>
<br>
ip route add default via 192.168.0.1 dev eth0 table 10<br>
ip rule add fwmark 1 table 10<br>
ip route flush cache<br>
</code>
<br>
(I have to admit that I"m unsure about the PREROUTING rules; they may be unnecessary.)<br>
<br>
As previously, 192.168.0.1 should be replaced by your own default gateway. <br>
<br>
You can use any "mark" you like, I use "1". Also, you can specify (almost) any table number in the ip route and ip rule commands. Just make sure you are consistent. BTW, the ip command is why we want to install iproute2.<br>
<br>
Now, what does all this mean? Well, packets going out from your machine that match any of the rules in the mangle table are marked and let on. When they are being routed, they match the routing rule ip rule add fwmark 1 table 10, since they have the "1" mark. And these packets are directed to routing table 10, which routes the packets out on eth0. However, as they do this, some (even most) of them may have the source IP address LOCAL_PPTP_IP. If we don"t do something with these, they"ll die on the way, probably in the next router. So we have to change their source IP, and this is what the POSTROUTING rule does in the nat table.<br>
<br>
Also, since the packets are going the "wrong" way (and I"m being very vague here; I"ve not completely understood this ), we have to disable Reverse Path Filtering in the kernel for the eth0 interface. This is done like so:<br>
Citat:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter<br>
<br>
I haven"t thought about this before, and Reverse Path Filtering is off (i.e. 0) on all my interfaces by default, so this hasn"t been an issue for me. Maybe I"m urging you to disable rp_filter on the wrong interface...<br>
<br>
Okay then, the second problem: what if we only want to use Relakks for certain traffic, and let all other traffic go the normal way? Well, let"s do the same thing as above, but the other way around. For the "normal" services (like HTTP, HTTPS, SSH, IMAP, POP and so on) it is possible to "mark" the packets according to the destination port. For some services this is simply not possible as they may use a wide range of destination ports; IM and P2P clients may try a whole bunch of destination ports to get through firewalls (Skype is notorious for this behaviour - it rattles a lot when it"s trying to get out). However, it is often possible to force an application to bind to a certain source port and/or address - this can be used instead.<br>
<br>
(In iptables it is possible to mark packets created by for instance a certain process ID, or a certain user ID, or even a certain command, through the OWNER module (not all matches work on SMP kernels, unfortunately). However, I noticed that part of the FIN and RST packets refused to be rerouted, so this didn"t work for me. Maybe they are created by the kernel and not by the application?)<br>
<br>
So, if we want to specify the source port, do the standard exercise described above, but skip the route commands route add default $TUNFACE and route del default gw $GATEWAY dev $IFACE. Also, skip the resolv.conf copying. Then, issue the following:<br>
Citat:
<code>iptables -t mangle -A OUTPUT -p udp --dport 53 -j ACCEPT<br>
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j ACCEPT<br>
iptables -t mangle -A OUTPUT -p tcp --sport 12345 -j MARK --set-mark 1<br>
iptables -t mangle -A OUTPUT -p udp --sport 12345 -j MARK --set-mark 1<br>
<br>
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to LOCAL_PPTP_IP<br>
<br>
ip route add default dev ppp0 table 10<br>
ip rule add fwmark 1 table 10<br>
ip route flush cache<br>
</code>
<br>
Here I route all DNS requests the "standard" way, since this is where the DNS servers in /etc/resolv.conf can be accessed. Next I "mark" all traffic from the application-specific source port, 12345 in this case. If the application itself also acts as a server, you should add rules for the application"s server port(s) as well; just add some more MARK lines and change 12345 to whatever port you use.<br>
<br>
On the DNS servers; I could use the Relakks DNS servers if I mark these packets too, but then I use them for all traffic. Using the Relakks name servers for the Relakksed traffic and the standard name servers (i.e. your ISP"s name servers) at the same time will be (very?) difficult.<br>
<br>
Finally, it may be necessary to enable port forwarding in the kernel:<br>
Citat:
<code>echo 1 > /proc/sys/net/ipv4/ip_forward<br>
</code>
<br>
I"m not sure about the Reverse Path Filtering, but to be consistent, rp_filter for ppp0 should be set to 0; I don"t know, try it.<br>
<br>
Okay then, on to specifying the source address instead of the port(s).<br>
<br>
This is the neater way: let the services that you want to use Relakks for bind to a specific IP address locally on your machine, and MARK the packets according to this. In principle one could use the Relakks address that is assigned to ppp0 when connecting to Relakks. But, since this address changes (almost) every time we connect to Relakks, it is not really feasible. What we do instead is creating an alias interface with a fixed address.<br>
<br>
So, first choose an IP address to use, preferably an RFC1918 address, like for instance 172.16.0.10. The RFC1918 addresses cannot be routed on the Internet, so if you by mistake let any of these packets out, they will die in the next router. Configure your application to use this IP. Then, create an alias for the ppp0 interface using this address:<br>
Citat:
<code>ifconfig ppp0:1 172.16.0.10 pointopoint LOCAL_PPTP_IP up<br>
</code>
<br>
<br>
The other steps are the same as in the bind-to-source-port case, with the following exceptions. Don"t use the rules marking packets with source port 12345, i.e. do not issue<br>
Citat:
<code>iptables -t mangle -A OUTPUT -p tcp --sport 12345 -j MARK --set-mark 1<br>
iptables -t mangle -A OUTPUT -p udp --sport 12345 -j MARK --set-mark 1<br>
</code>
<br>
Instead, set up a rule that marks packets with the new special source address:<br>
Citat:
<code>iptables -t mangle -A OUTPUT --source 172.16.0.10 -j MARK --set-mark 1<br>
</code>
<br>
Also, add a destination NAT rule to accompany the source NAT rule:<br>
Citat:
<code>iptables -t nat -A PREROUTING -i ppp0 -j DNAT --to 172.16.0.10<br>
</code>
<br>
<br>
To not make so much noise if the Relakks connnection dies, you can add a DROP rule as well:<br>
Citat:
<code>iptables -t mangle -A POSTROUTING -o eth0 --source ! YOUR_eth0_IP -j DROP<br>
</code>
<br>
Use the corresponding DROP rule(s) for the source port case.<br>
<br>
<br>
<br>
I"ve been using tcpdump extensively to troubleshoot all issues I"ve had when figuring this out. There are a few things that are good to check. All the traffic you want to anomymize should go through the tunnel, whereas the GRE traffic, the port 1723 traffic and other (non-anonymized) traffic should go over the eth0 interface. Check this with tcpdump -n -i eth0 and tcpdump -n -i ppp0. More specifically, tcpdump -n -i eth0 not arp and not proto 47 and not port 1723 should not show anything at all if you"re using Relakks for all your traffic.<br>
<br>
If you"re bypassing some traffic outside of the Relakks tunnel, incoming requests on the "wrong" interface to an application running as a server should be blocked. Furthermore, you should check that the packets from each respective interface have the correct source address(es) set, otherwise the name-address translation (the stuff in the nat table in iptables) may be set up wrongly. More specifically you should only see LOCAL_PPTP_IP as source address on the traffic from your box on the ppp0 interface, and only your eth0 address as source address on the traffic from eth0. And, incoming traffic to the wrong IP on the wrong interface should be blocked; there shouldn"t be any of these, though.<br>
<br>
<br>
<br>
Well, I hope that some people find this helpful and not just a load of unnecessary text (and that I haven"t forgotten something...). As I said, this works great for me <br>
<br>
Cheers!<br>
<br>
<br>
_________________________________________________________________<br>
Update 2006-11-13:<br>
- Merged information on binding to a specific local IP.<br>
- Added notes on precautions in case the Relakks connection dies.<br>
<br>
Update 2007-01-16:<br>
- Rewritten some of the iptables and routing text, hopefully making it more clear.<br>
<br>
   
Svara med citat
  (#2) Gammal
tephlon Inte uppkopplad
 
Inlägg: 18
Reg.datum: Jun 2006

Länk: #62189
Standard RE: Relakks and the Linux command line - 2006-11-08, 01:02

Oh, how nicely the formatting was ruined after posting. It all looked so good in the preview...



EDIT: Never mind, solved it. Don't preview before you post
   
Svara med citat
  (#3) Gammal
Anders Grandt Inte uppkopplad
 
Inlägg: 164
Reg.datum: Jun 2006

Länk: #62234
Standard RE: Relakks and the Linux command line - 2006-11-08, 20:54

Extremely good work!

This guide worked just perfekt for me.



Very good explained, easy to follow



Thanks alot
   
Svara med citat
  (#4) Gammal
greybox Inte uppkopplad
 
Inlägg: 6
Reg.datum: Jan 2007

Länk: #65607
Standard RE: Relakks and the Linux command line - 2007-01-13, 21:21

Hello, whatever i do i cant get my ppp connection running to relakks. This is debug from ppp connect.



13 23:20:41 findus pppd[4386]: rcvd [CCP ConfAck id=0x1 ]

Jan 13 23:20:41 findus pppd[4386]: MPPE 128-bit stateless compression enabled

Jan 13 23:20:41 findus pppd[4386]: sent [IPCP ConfReq id=0x1 ]

Jan 13 23:20:41 findus pppd[4386]: rcvd [IPCP ConfReq id=0x1 ]

Jan 13 23:20:41 findus pppd[4386]: sent [IPCP ConfAck id=0x1 ]

Jan 13 23:20:41 findus pppd[4386]: rcvd [IPCP ConfRej id=0x1 ]

Jan 13 23:20:41 findus pppd[4386]: sent [IPCP ConfReq id=0x2 ]

Jan 13 23:20:41 findus pppd[4386]: rcvd [IPCP ConfNak id=0x2 ]

Jan 13 23:20:41 findus pppd[4386]: sent [IPCP ConfReq id=0x3 ]

Jan 13 23:20:41 findus pppd[4386]: rcvd [IPCP ConfAck id=0x3 ]

Jan 13 23:20:41 findus pppd[4386]: Cannot determine ethernet address for proxy ARP

Jan 13 23:20:41 findus pppd[4386]: local IP address 83.233.XXX.XXX

Jan 13 23:20:41 findus pppd[4386]: remote IP address 83.233.168.4

Jan 13 23:20:41 findus pppd[4386]: primary DNS address 82.209.169.71

Jan 13 23:20:41 findus pppd[4386]: secondary DNS address 82.209.169.72

Jan 13 23:20:41 findus pppd[4386]: Script /etc/ppp/ip-up started (pid 4408)

Jan 13 23:20:41 findus pppd[4386]: Script /etc/ppp/ip-up finished (pid 4408), status = 0x0

Jan 13 23:21:38 findus pppd[4386]: rcvd [LCP TermReq id=0x2 "MPPE disabled"]

Jan 13 23:21:38 findus pppd[4386]: LCP terminated by peer (MPPE disabled)

Jan 13 23:21:38 findus pppd[4386]: Connect time 1.0 minutes.

Jan 13 23:21:38 findus pppd[4386]: Sent 588488221 bytes, received 7771 bytes.

Jan 13 23:21:38 findus pppd[4386]: Script /etc/ppp/ip-down started (pid 4426)

Jan 13 23:21:38 findus pppd[4386]: sent [LCP TermAck id=0x2]

Jan 13 23:21:38 findus pppd[4386]: rcvd [LCP TermReq id=0x3 "MPPE disabled"]

Jan 13 23:21:38 findus pppd[4386]: sent [LCP TermAck id=0x3]

Jan 13 23:21:38 findus pppd[4386]: Script /etc/ppp/ip-down finished (pid 4426), status = 0x0

Jan 13 23:21:38 findus pptp[4392]: anon log[pptp_read_some:pptp_ctrl.c:543]: read returned zero, peer has closed

Jan 13 23:21:38 findus pptp[4392]: anon log[callmgr_main:pptp_callmgr.c:255]: Closing connection (shutdown)

Jan 13 23:21:38 findus pptp[4392]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'

Jan 13 23:21:38 findus pptp[4392]: anon log[pptp_read_some:pptp_ctrl.c:543]: read returned zero, peer has closed

Jan 13 23:21:38 findus pptp[4392]: anon log[call_callback:pptp_callmgr.c:78]: Closing connection (call state)

Jan 13 23:21:38 findus pppd[4386]: Modem hangup

Jan 13 23:21:38 findus pppd[4386]: Connection terminated.

Jan 13 23:21:38 findus pppd[4386]: Script pptp pptp.relakks.com --nolaunchpppd finished (pid 4387), status = 0x0

Jan 13 23:21:38 findus pppd[4386]: Exit.


   
Svara med citat
  (#5) Gammal
tephlon Inte uppkopplad
 
Inlägg: 18
Reg.datum: Jun 2006

Länk: #65632
Standard RE: Relakks and the Linux command line - 2007-01-14, 10:52

Not sure, but judged from the short connect time and the large amount of traffic you've sent, I believe you've forgotten to set up the correct routing table. I write about that in the first post here. What does you routing table look like ("route -n") before and just after you've issued (your equivalent of) "pon Relakks"?



If my guess is right, your last line is something like



<code>
Citat:
0.0.0.0 YOUR_STANDARD_GATEWAY 0.0.0.0 UG 0 0 0 eth0
</code>

That is wrong. If you want to use Relakks for all traffic, the last line should look something like



<code>
Citat:
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
</code>


   
Svara med citat
  (#6) Gammal
greybox Inte uppkopplad
 
Inlägg: 6
Reg.datum: Jan 2007

Länk: #65656
Standard RE: Relakks and the Linux command line - 2007-01-14, 17:20

If i use your script the log gives me:







Jan 14 19:22:38 findus dhclient: DHCPREQUEST on eth1 to 89.150.129.6 port 67



Jan 14 19:22:39 findus pppd[8944]: pppd 2.4.4 started by root, uid 0



Jan 14 19:22:39 findus pppd[8944]: Using interface ppp0



Jan 14 19:22:39 findus pppd[8944]: Connect: ppp0 /dev/pts/1



Jan 14 19:22:39 findus pptp[8946]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated



Jan 14 19:22:39 findus pptp[8951]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'



Jan 14 19:22:39 findus pptp[8951]: anon log[ctrlp_disp:pptp_ctrl.c:738]: Received Start Control Connection Reply



Jan 14 19:22:39 findus pptp[8951]: anon log[ctrlp_disp:pptp_ctrl.c:772]: Client connection established.



Jan 14 19:22:40 findus pptp[8951]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'



Jan 14 19:22:40 findus pptp[8951]: anon log[ctrlp_disp:pptp_ctrl.c:857]: Received Outgoing Call Reply.



Jan 14 19:22:40 findus pptp[8951]: anon log[ctrlp_disp:pptp_ctrl.c:896]: Outgoing call established (call ID 0, peer's call ID 41344).



Jan 14 19:22:40 findus pppd[8944]: CHAP authentication succeeded



Jan 14 19:22:40 findus pppd[8944]: MPPE 128-bit stateless compression enabled



Jan 14 19:22:40 findus pppd[8944]: Cannot determine ethernet address for proxy ARP



Jan 14 19:22:40 findus pppd[8944]: local IP address 83.233.170.240



Jan 14 19:22:40 findus pppd[8944]: remote IP address 83.233.168.7



Jan 14 19:22:40 findus pppd[8944]: primary DNS address 82.209.169.71



Jan 14 19:22:40 findus pppd[8944]: secondary DNS address 82.209.169.72



Jan 14 19:22:59 findus dhclient: DHCPREQUEST on eth1 to 89.150.129.6 port 67



Jan 14 19:23:03 findus pppd[8915]: LCP: timeout sending Config-Requests



Jan 14 19:23:03 findus pppd[8915]: Connection terminated.



Jan 14 19:23:03 findus pppd[8915]: Modem hangup











then i run /etc/init.d/relakks start (your script) it hangs for a few secs and then it writes Timeout error when connecting to Relakks.







I've defined my WAN interface in the top of your script (eth1) and my WAN gw.



This is my route table before running "pon Relakks"

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

89.150.128.0 0.0.0.0 255.255.192.0 U 0 0 0 eth1

0.0.0.0 89.150.128.1 0.0.0.0 UG 0 0 0 eth1



After:

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

83.233.168.4 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1

10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

89.150.128.0 0.0.0.0 255.255.192.0 U 0 0 0 eth1

0.0.0.0 89.150.128.1 0.0.0.0 UG 0 0 0 eth1
   
Svara med citat
  (#7) Gammal
tephlon Inte uppkopplad
 
Inlägg: 18
Reg.datum: Jun 2006

Länk: #65667
Standard RE: Relakks and the Linux command line - 2007-01-14, 20:25

Okay, I guess I ask the wrong - and ambiguous - questions I have to admit I'm a bit confused - a couple of points;



1. When you write "then I run /etc/init.d/relakks", I hope you mean "when I run [...]". Otherwise I don't know what you're doing

2. Also, your log output mentions ppp0 whereas your routing table uses ppp1. Is this the cause of your problems, or a typo, or something else?

3. The log output you posted last isn't the same as you did before. In this last log it looks like you don't receive anything from Relakks after you've authenticated. Do you allow GRE packets where you should (firewalls, switches, and so on)? Since your WAN interface is eth1, did you rewrite the iptables part of the script accordingly? (I just noticed that I forgot to change "eth0" to "$IFACE" in that part...)

4. The resulting routing table from pon relakks isn't that interesting if you use my script (my bad - I should've asked something else before). What's interesting is what routing table you got after running the script (which runs pon itself). Since you use my script, have you rewritten /etc/ppp/ip-up accordingly?



What needs to be in place in order to perform all the steps is the following:

1. Firewalls and switches need to allow GRE traffic and traffic to and from TCP port 1723. When this is OK, pon can be run.

2. When pon is run the ppp0 (or whatever) interface is created, and consequentially also an erroneous route to the pptp endpoint (your first line in the routing table after pon is run).

3. Apparently the ip-up script is supposed to rewrite the routing table so that it works. I let my script to that itself, and rewrite ip-up to just give me the resulting tunnel parameters. No matter how you do it, the routing table needs to be corrected right after pon is finished, otherwise the connection dies.



Further, I've had problems before with timeouts and similar. On some occasions it was Relakks having problems, and on other occasions I've had to reboot my modem/switch (crappy stuff...).



Anyway, maybe it is best to start with verifying that you don't mix up the interfaces. If pon gives you ppp1 while your scripts set up things for ppp0 there's no wonder it doesn't work.



HTH (and not only confuses )
   
Svara med citat
  (#8) Gammal
greybox Inte uppkopplad
 
Inlägg: 6
Reg.datum: Jan 2007

Länk: #65669
Standard RE: Relakks and the Linux command line - 2007-01-14, 20:44

I did your checkups and the syslog gives me this atm:

Jan 14 22:43:17 findus pppd[21727]: Using interface ppp0

Jan 14 22:43:17 findus pppd[21727]: Connect: ppp0 /dev/pts/2

Jan 14 22:43:17 findus pptp[21729]: anon log[main:pptp.c:276]: The synchronous pptp option is NOT activated

Jan 14 22:43:17 findus pptp[21734]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 "Start-Control-Connection-Request"

Jan 14 22:43:17 findus pptp[21734]: anon log[ctrlp_disp:pptp_ctrl.c:738]: Received Start Control Connection Reply

Jan 14 22:43:17 findus pptp[21734]: anon log[ctrlp_disp:pptp_ctrl.c:772]: Client connection established.

Jan 14 22:43:18 findus pptp[21734]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 "Outgoing-Call-Request"

Jan 14 22:43:18 findus pptp[21734]: anon log[ctrlp_disp:pptp_ctrl.c:857]: Received Outgoing Call Reply.

Jan 14 22:43:18 findus pptp[21734]: anon log[ctrlp_disp:pptp_ctrl.c:896]: Outgoing call established (call ID 0, peer"s call ID 19456).

Jan 14 22:43:18 findus pppd[21727]: CHAP authentication succeeded

Jan 14 22:43:18 findus pppd[21727]: MPPE 128-bit stateless compression enabled

Jan 14 22:43:18 findus pppd[21727]: Cannot determine ethernet address for proxy ARP

Jan 14 22:43:18 findus pppd[21727]: local IP address 83.233.169.155

Jan 14 22:43:18 findus pppd[21727]: remote IP address 83.233.168.5

Jan 14 22:43:18 findus pppd[21727]: primary DNS address 82.209.169.71

Jan 14 22:43:18 findus pppd[21727]: secondary DNS address 82.209.169.72

Jan 14 22:43:18 findus pppd[21727]: Can"t execute /etc/ppp/ip-up: Invalid argument





This is my configuration files:

/etc/ppp/options.ppp:

lock

noauth

refuse-eap

refuse-chap

refuse-mschap

nobsdcomp

nodeflate



/etc/ppp/peers/Relakks

remotename Relakks

linkname Relakks

ipparam Relakks

pty "pptp pptp.relakks.com --nolaunchpppd"

name USERNAME

usepeerdns

require-mppe-128

refuse-eap

noauth

file /etc/ppp/options.pptp





This is my firewall:

#!/bin/sh

# First let linux know this is a shell script and how to execute it

# Next, just in case there are any rules sitting in memory we flush everything

/sbin/iptables -F

/sbin/iptables -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -A FORWARD -m state --state INVALID -j DROP

/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP



# Lets know specifically where we intersect with the Internet

# specifically allow data from our own static IP

/sbin/iptables -A INPUT -s 89.150.170.71 -j ACCEPT #for everything



# DROP

/sbin/iptables -P INPUT DROP

/sbin/iptables -P FORWARD DROP

/sbin/iptables -P OUTPUT ACCEPT



# lo

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i ! lo -m state --state ESTABLISHED,RELATED -j ACCEPT



# NAT

/sbin/iptables -A INPUT -i eth1 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE





# Output

iptables -A OUTPUT -p tcp -m state --state NEW -m multiport --dports 21,22,25,80 -j ACCEPT

iptables -A OUTPUT -p udp -m state --state NEW -m multiport --dports 53 -j ACCEPT



# Input

iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 21,22,25,80 -j ACCEPT



# FORWARD

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT



iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.

echo 1 &gt; /proc/sys/net/ipv4/ip_forward



# Relakks GRE and Relakks authenticate

iptables -I INPUT -i eth1 -p 47 -m state --state ESTABLISHED -j ACCEPT

iptables -I OUTPUT -o eth1 -p 47 -m state --state NEW,ESTABLISHED -j ACCEPT



iptables -I INPUT -i eth1 -p tcp --sport 1723 -m state --state ESTABLISHED -j ACCEPT

iptables -I OUTPUT -o eth1 -p tcp --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT



---



My setup is eth0 is LAN side eth1 is WAN side.



Ive modified your final script to use eth1 instead of eth0.
   
Svara med citat
  (#9) Gammal
tephlon Inte uppkopplad
 
Inlägg: 18
Reg.datum: Jun 2006

Länk: #65677
Standard RE: Relakks and the Linux command line - 2007-01-14, 22:50

Okay, can't spot anything odd immediately, except for the log row

Citat:
Jan 14 22:43:18 findus pppd[21727]: Can't execute /etc/ppp/ip-up: Invalid argument
Apparently there is an error in ip-up. What happens if you fix that?



If the problem persist, see if you can add some logging (the LOG target) to that firewall ruleset of yours and see if/what traffic is blocked.



From your firewall ruleset I reckon you're using your firewall/NAT box to set up the Relakks connection, so that your whole LAN can use it. (Nice ) I'm a little bit in the deep end of the pool now, but I believe the firewall rules on the WAN side of the NAT box need to be adapted for Relakks. For instance the forwarding rules seem to suffer from this. Instead of forwarding packets between eth0 and eth1 I think you want to forward the packets between eth0 and ppp0. When the packets are entering the tunnel (ppp0), they will be routed to eth1 and to the Relakks server - the only rules you need for eth1 are to allow traffic to and from the Relakks server (GRE and TCP port 1723.


   
Svara med citat
  (#10) Gammal
greybox Inte uppkopplad
 
Inlägg: 6
Reg.datum: Jan 2007

Länk: #65756
Standard RE: Relakks and the Linux command line - 2007-01-15, 21:41

I can now connect to relakks and it works almost fine the connection stays alive but only on using your script, however i can't ping the outside world when i use your script. Whats wrong?
   
Svara med citat
Svara

Ämnesverktyg Sök i det här ämnet
Sök i det här ämnet:

Avancerad sökning
Visningsalternativ

Regler för att posta
Du får inte posta nya ämnen
Du får inte posta svar
Du får inte posta bifogade filer
Du får inte redigera dina inlägg

BB-kod är
Smilies är
[IMG]-kod är
HTML-kod är av


Liknande ämnen
Ämne Startat av Forum Svar Senaste inlägg
San Antonio, USA, ska få "Air Force cyber command" megaman PP i media 0 2009-05-20 08:49
relakks on linux low mtu suddenly causes protocol-reject errors [Solved] marthafokker Relakks 11 2007-09-28 09:25
Drawing the Line: The Rise of the Information Processing Patent John Nilsson PP i media 0 2007-04-14 00:04
Relakks L2TP Linux Debian ph00 Relakks 1 2006-12-19 23:38
Relakks och linux xor Relakks 5 2006-08-18 10:41



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
Svensk översättning av: Anders Pettersson
vBulletin Skin developed by: vBStyles.com