File: INSTALL-Linux.markdown

package info (click to toggle)
tcpcrypt 0.3~rc1-3
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 1,292 kB
  • ctags: 1,285
  • sloc: ansic: 11,305; asm: 482; sh: 192; objc: 149; makefile: 98
file content (171 lines) | stat: -rw-r--r-- 6,736 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
 
Installing tcpcrypt on Linux
============================

Tcpcrypt has 2 separate Linux implementations: kernel and userland. These
instructions cover only the userland tcpcrypt, which is easier to set up.


Dependencies
============

 * OpenSSL >= 0.9.8
 * libnfnetlink >= 0.0.40
 * libnetfilter_queue >= 0.0.16
 * libcap
 * Kernel divert socket support (NFQUEUE)


Ubuntu and Debian packages
--------------------------
    apt-get install iptables libcap-dev libssl-dev \
                    libnfnetlink-dev libnetfilter-queue-dev


Kernel divert sockets (NFQUEUE)
-------------------------------

Installing your distribution's libnfnetfilter_queue package most likely handles
this for you. If not, then you need to enable the following in `make
menuconfig`:

* Networking -> Networking options -> Network packet filtering framework (Netfilter) and the following suboptions
* Core Netfilter Configuration -> Netfilter NFQUEUE over NFNETLINK interface
* Core Netfilter Configuration -> Netfilter Xtables support -> "NFQUEUE" target Support

The `.config` options for these are:

    CONFIG_NETFILTER_NETLINK
    CONFIG_NETFILTER_NETLINK_QUEUE
    CONFIG_NETFILTER_XT_TARGET_NFQUEUE


Compiling
---------

Run:

    cd tcpcrypt/user
    ./bootstrap.sh
    ./configure
    make

Optional: running `make install` will install `libtcpcrypt` and tcpcrypt
headers, for building apps that use tcpcrypt's session ID.


Try it out
----------

See the included `README.markdown` file for ways to try out tcpcrypt.


Reported issues
---------------

Tcpcrypt is incompatible with ECN (explicit congestion notification, RFC 3168). To disable ECN (if you know what you're doing), run `sudo sysctl net.ipv4.tcp_ecn=0`. Reported by jech at https://github.com/sorbo/tcpcrypt/issues/7.


iptables firewall setup
=======================

The included `launch_tcpcryptd.sh` script adds iptable rules to divert all TCP
traffic -- *except* that which is already encrypted, like SSH -- to tcpcryptd.
Read on only for more complex firewall setups.

The naive way to use tcpcryptd:

    iptables -A OUTPUT -p tcp -j NFQUEUE --queue-num 666
    iptables -A INPUT -p tcp -j NFQUEUE --queue-num 666

This will apply tcpcrypt to all locally destined (or generated) TCP packets.
This will work, but you'll run into problems #1 and #2, which may not be
problems if you don't have a firewall or nat setup.

For testing on your local machine, you can restrict tcpcrypt to the loopback interface:

    iptables -A OUTPUT -p tcp -o lo -j NFQUEUE --queue-num 666
    iptables -A INPUT -p tcp -i lo -j NFQUEUE --queue-num 666

Or, to run tcpcrypt only on port 80, use this (taken from launch_tcpcryptd.sh):
    
    iptables -A OUTPUT -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 666
    iptables -A INPUT -p tcp -m tcp --sport 80 -j NFQUEUE --queue-num 666    

To restore your iptables rules to their previous state, you can remove rules by
replacing `-A` (append) with `-D` (delete) in the above commands.

The following instructions apply to using tcpcrypt on firewall/gateway boxes.

Linux firewall setup is more challenging than on FreeBSD for two reasons.

   1. In FreeBSD, after a packet is diverted, the divert daemon can drop the
      packet, or accept it. In the latter case, firewall processing continues
      from the next rule. So basically natd will get a chance to run, and other
      firewall rules. It's a pipeline. On Linux, you can either accept or drop
      the packet, which ignores the rest of the firewall.

   2. In FreeBSD, you can easily order tcpcryptd, then natd, because they're
      both in userland, and both use divert, and the whole firewall is a
      pipeline. On Linux natd is IP connection tracking in the kernel, which is
      used for stateful firewalls too. We gotta make tcpcryptd run BEFORE
      conntrack.

To make tcpcrypt work the "proper" way, making sure that nat and stateful
firewalls (e.g., -m state --state ESTABLISHED) work:

    iptables -t raw -A PREROUTING -p tcp -j NFQUEUE --queue-num 666
    iptables -t mangle -A POSTROUTING -p tcp -j NFQUEUE --queue-num 666

This will apply tcpcrypt to all TCP packets entering and exiting the box,
including forwarded packets.  Note that this setup will respect firewall
rules in other tables but terminate those in the raw and mangle tables.  In
short, your firewall rules in the filter table and nat table (those that you
probably care about most) will work.  You'll get caught by problem #1 though.

To make tcpcrypt work the elite way, making sure that all firewall rules are
obeyed and conntrack isn't confused:

    iptables -t raw -N tcpcrypt
    iptables -t raw -A tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
    iptables -t raw -I PREROUTING -j tcpcrypt

    iptables -t mangle -N tcpcrypt
    iptables -t mangle -A tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
    iptables -t mangle -I POSTROUTING -j tcpcrypt
 
And launch `tcpcryptd` with `-x 0x10`

This example is like before, but will create a chain with only the tcpcrypt
rule, which will run only if a packet is unmarked.  When tcpcryptd needs to
accept a packet, rather than passing a verdict of ACCEPT, which terminates
all rule processing, it will pass a verdict of REPEAT, which restarts
processing at the current chain.  To avoid loops, it will also mark the
packet so that the rule to divert will be matched only once.  Effectively the
first time round real work will be done, and the second time round we
"return" to process the other rules.

Note that you can make tcpcryptd work transparently on forwarded traffic, and
even in conjunction with NAT.  You can pretend that the Internet is
tcpcrypted.  Lets say eth0 is your LAN.  You can do something like:

[create the tcpcrypt chains as explained earlier.]

    iptables -t raw -A PREROUTING -i eth0 -j tcpcrypt
    iptables -t mangle -A POSTROUTING -o eth0 -j tcpcrypt

tcpcryptd will see all incoming traffic from eth0 and make it look like
standard TCP to the outside world, and will then tcpcrypt all the responses
coming back to eth0.  There's one caveat though when using it in conjunction
with NAT (conntrack).  tcpcryptd forges a packet (the INIT2) and this
confuses conntrack as it thinks it's a new connection and it changes the
source port.  You therefore need to add:

    iptables -t raw -A OUTPUT -o eth0 -j NOTRACK

i.e., all locally generated traffic (the forged packet from tcpcryptd) should
not be natted.  In fact I don't even know why it is being natted (maybe a
bug).  Of course you need to setup nat with something like:

    iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4

where eth1 is your Internet interface and 1.2.3.4 your Internet static IP.