Added -c flag to disable IP/port checking in each request
This commit is contained in:
parent
06f60e2a3b
commit
0d3494ae78
|
@ -12,6 +12,8 @@ CHANGES:
|
||||||
- Applied a security patch from Andrew Griffiths, use setgroups() to
|
- Applied a security patch from Andrew Griffiths, use setgroups() to
|
||||||
limit the groups of the user
|
limit the groups of the user
|
||||||
- Applied a patch to make iodine work on (Open)Solaris, from Albert Lee
|
- Applied a patch to make iodine work on (Open)Solaris, from Albert Lee
|
||||||
|
- Added option in server (-c) to disable IP/port checking on each packet,
|
||||||
|
will hopefully help when server is behind NAT
|
||||||
|
|
||||||
2007-11-30: 0.4.1 "Tea Online"
|
2007-11-30: 0.4.1 "Tea Online"
|
||||||
- Introduced encoding API
|
- Introduced encoding API
|
||||||
|
|
16
man/iodine.8
16
man/iodine.8
|
@ -1,5 +1,5 @@
|
||||||
.\" groff -man -Tascii iodine.8
|
.\" groff -man -Tascii iodine.8
|
||||||
.TH IODINE 8 "JUN 2007" "User Manuals"
|
.TH IODINE 8 "JUL 2008" "User Manuals"
|
||||||
.SH NAME
|
.SH NAME
|
||||||
iodine, iodined \- tunnel IPv4 over DNS
|
iodine, iodined \- tunnel IPv4 over DNS
|
||||||
.SH SYNOPSIS
|
.SH SYNOPSIS
|
||||||
|
@ -25,7 +25,7 @@ iodine, iodined \- tunnel IPv4 over DNS
|
||||||
|
|
||||||
.B iodined [-h]
|
.B iodined [-h]
|
||||||
|
|
||||||
.B iodined [-f] [-s] [-u
|
.B iodined [-c] [-s] [-f] [-u
|
||||||
.I user
|
.I user
|
||||||
.B ] [-P
|
.B ] [-P
|
||||||
.I password
|
.I password
|
||||||
|
@ -62,10 +62,6 @@ Print usage info and exit.
|
||||||
.B -f
|
.B -f
|
||||||
Keep running in foreground.
|
Keep running in foreground.
|
||||||
.TP
|
.TP
|
||||||
.B -s
|
|
||||||
Don't try to configure IP address or MTU. This should only be used if
|
|
||||||
you have already configured the device that will be used.
|
|
||||||
.TP
|
|
||||||
.B -u user
|
.B -u user
|
||||||
Drop privileges and run as user 'user' after setting up tunnel.
|
Drop privileges and run as user 'user' after setting up tunnel.
|
||||||
.TP
|
.TP
|
||||||
|
@ -82,6 +78,14 @@ Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
|
||||||
and otherwise tunX.
|
and otherwise tunX.
|
||||||
.SS Server Options:
|
.SS Server Options:
|
||||||
.TP
|
.TP
|
||||||
|
.B -c
|
||||||
|
Disable checks on client IP and port on all incoming requests.
|
||||||
|
This might help if server is behind a NAT firewall.
|
||||||
|
.TP
|
||||||
|
.B -s
|
||||||
|
Don't try to configure IP address or MTU. This should only be used if
|
||||||
|
you have already configured the device that will be used.
|
||||||
|
.TP
|
||||||
.B -m mtu
|
.B -m mtu
|
||||||
Set 'mtu' as mtu size for the tunnel device. This will be sent to the client
|
Set 'mtu' as mtu size for the tunnel device. This will be sent to the client
|
||||||
on connect, and the client will use the same mtu.
|
on connect, and the client will use the same mtu.
|
||||||
|
|
|
@ -49,6 +49,7 @@ static char *topdomain;
|
||||||
static char password[33];
|
static char password[33];
|
||||||
static struct encoder *b32;
|
static struct encoder *b32;
|
||||||
|
|
||||||
|
static int check_ip;
|
||||||
static int my_mtu;
|
static int my_mtu;
|
||||||
static in_addr_t my_ip;
|
static in_addr_t my_ip;
|
||||||
|
|
||||||
|
@ -191,8 +192,8 @@ tunnel_dns(int tun_fd, int dns_fd)
|
||||||
users[userid].last_pkt = time(NULL);
|
users[userid].last_pkt = time(NULL);
|
||||||
login_calculate(logindata, 16, password, users[userid].seed);
|
login_calculate(logindata, 16, password, users[userid].seed);
|
||||||
|
|
||||||
if (dummy.q.fromlen != users[userid].addrlen ||
|
if (check_ip && (dummy.q.fromlen != users[userid].addrlen ||
|
||||||
memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0) {
|
memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0)) {
|
||||||
write_dns(dns_fd, &(dummy.q), "BADIP", 5);
|
write_dns(dns_fd, &(dummy.q), "BADIP", 5);
|
||||||
} else {
|
} else {
|
||||||
if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) {
|
if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) {
|
||||||
|
@ -248,8 +249,8 @@ tunnel_dns(int tun_fd, int dns_fd)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check sending ip number */
|
/* Check sending ip number */
|
||||||
if (dummy.q.fromlen != users[userid].addrlen ||
|
if (check_ip && (dummy.q.fromlen != users[userid].addrlen ||
|
||||||
memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0) {
|
memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0)) {
|
||||||
write_dns(dns_fd, &(dummy.q), "BADIP", 5);
|
write_dns(dns_fd, &(dummy.q), "BADIP", 5);
|
||||||
} else {
|
} else {
|
||||||
/* decode with this users encoding */
|
/* decode with this users encoding */
|
||||||
|
@ -402,7 +403,7 @@ static void
|
||||||
usage() {
|
usage() {
|
||||||
extern char *__progname;
|
extern char *__progname;
|
||||||
|
|
||||||
printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] "
|
printf("Usage: %s [-v] [-h] [-c] [-s] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] "
|
||||||
"[-l ip address to listen on] [-p port] [-P password]"
|
"[-l ip address to listen on] [-p port] [-P password]"
|
||||||
" tunnel_ip topdomain\n", __progname);
|
" tunnel_ip topdomain\n", __progname);
|
||||||
exit(2);
|
exit(2);
|
||||||
|
@ -413,11 +414,13 @@ help() {
|
||||||
extern char *__progname;
|
extern char *__progname;
|
||||||
|
|
||||||
printf("iodine IP over DNS tunneling server\n");
|
printf("iodine IP over DNS tunneling server\n");
|
||||||
printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] "
|
printf("Usage: %s [-v] [-h] [-c] [-s] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] "
|
||||||
"[-l ip address to listen on] [-p port] [-P password]"
|
"[-l ip address to listen on] [-p port] [-P password]"
|
||||||
" tunnel_ip topdomain\n", __progname);
|
" tunnel_ip topdomain\n", __progname);
|
||||||
printf(" -v to print version info and exit\n");
|
printf(" -v to print version info and exit\n");
|
||||||
printf(" -h to print this help and exit\n");
|
printf(" -h to print this help and exit\n");
|
||||||
|
printf(" -c to disable check of client IP/port on each request\n");
|
||||||
|
printf(" -s to skip creating and configuring the tun device which then has to be created manually\n");
|
||||||
printf(" -f to keep running in foreground\n");
|
printf(" -f to keep running in foreground\n");
|
||||||
printf(" -u name to drop privileges and run as user 'name'\n");
|
printf(" -u name to drop privileges and run as user 'name'\n");
|
||||||
printf(" -t dir to chroot to directory dir\n");
|
printf(" -t dir to chroot to directory dir\n");
|
||||||
|
@ -463,6 +466,7 @@ main(int argc, char **argv)
|
||||||
mtu = 1024;
|
mtu = 1024;
|
||||||
listen_ip = INADDR_ANY;
|
listen_ip = INADDR_ANY;
|
||||||
port = 53;
|
port = 53;
|
||||||
|
check_ip = 1;
|
||||||
skipipconfig = 0;
|
skipipconfig = 0;
|
||||||
|
|
||||||
b32 = get_base32_encoder();
|
b32 = get_base32_encoder();
|
||||||
|
@ -478,11 +482,14 @@ main(int argc, char **argv)
|
||||||
memset(password, 0, sizeof(password));
|
memset(password, 0, sizeof(password));
|
||||||
srand(time(NULL));
|
srand(time(NULL));
|
||||||
|
|
||||||
while ((choice = getopt(argc, argv, "vsfhu:t:d:m:l:p:P:")) != -1) {
|
while ((choice = getopt(argc, argv, "vcsfhu:t:d:m:l:p:P:")) != -1) {
|
||||||
switch(choice) {
|
switch(choice) {
|
||||||
case 'v':
|
case 'v':
|
||||||
version();
|
version();
|
||||||
break;
|
break;
|
||||||
|
case 'c':
|
||||||
|
check_ip = 0;
|
||||||
|
break;
|
||||||
case 's':
|
case 's':
|
||||||
skipipconfig = 1;
|
skipipconfig = 1;
|
||||||
break;
|
break;
|
||||||
|
|
Loading…
Reference in New Issue