Added -c flag to disable IP/port checking in each request

This commit is contained in:
Erik Ekman 2008-07-12 22:39:29 +00:00
parent e4e23275c9
commit 4d79bf6368
3 changed files with 26 additions and 13 deletions

View file

@ -12,6 +12,8 @@ CHANGES:
- Applied a security patch from Andrew Griffiths, use setgroups() to - Applied a security patch from Andrew Griffiths, use setgroups() to
limit the groups of the user limit the groups of the user
- Applied a patch to make iodine work on (Open)Solaris, from Albert Lee - Applied a patch to make iodine work on (Open)Solaris, from Albert Lee
- Added option in server (-c) to disable IP/port checking on each packet,
will hopefully help when server is behind NAT
2007-11-30: 0.4.1 "Tea Online" 2007-11-30: 0.4.1 "Tea Online"
- Introduced encoding API - Introduced encoding API

View file

@ -1,5 +1,5 @@
.\" groff -man -Tascii iodine.8 .\" groff -man -Tascii iodine.8
.TH IODINE 8 "JUN 2007" "User Manuals" .TH IODINE 8 "JUL 2008" "User Manuals"
.SH NAME .SH NAME
iodine, iodined \- tunnel IPv4 over DNS iodine, iodined \- tunnel IPv4 over DNS
.SH SYNOPSIS .SH SYNOPSIS
@ -25,7 +25,7 @@ iodine, iodined \- tunnel IPv4 over DNS
.B iodined [-h] .B iodined [-h]
.B iodined [-f] [-s] [-u .B iodined [-c] [-s] [-f] [-u
.I user .I user
.B ] [-P .B ] [-P
.I password .I password
@ -62,10 +62,6 @@ Print usage info and exit.
.B -f .B -f
Keep running in foreground. Keep running in foreground.
.TP .TP
.B -s
Don't try to configure IP address or MTU. This should only be used if
you have already configured the device that will be used.
.TP
.B -u user .B -u user
Drop privileges and run as user 'user' after setting up tunnel. Drop privileges and run as user 'user' after setting up tunnel.
.TP .TP
@ -82,6 +78,14 @@ Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
and otherwise tunX. and otherwise tunX.
.SS Server Options: .SS Server Options:
.TP .TP
.B -c
Disable checks on client IP and port on all incoming requests.
This might help if server is behind a NAT firewall.
.TP
.B -s
Don't try to configure IP address or MTU. This should only be used if
you have already configured the device that will be used.
.TP
.B -m mtu .B -m mtu
Set 'mtu' as mtu size for the tunnel device. This will be sent to the client Set 'mtu' as mtu size for the tunnel device. This will be sent to the client
on connect, and the client will use the same mtu. on connect, and the client will use the same mtu.

View file

@ -49,6 +49,7 @@ static char *topdomain;
static char password[33]; static char password[33];
static struct encoder *b32; static struct encoder *b32;
static int check_ip;
static int my_mtu; static int my_mtu;
static in_addr_t my_ip; static in_addr_t my_ip;
@ -191,8 +192,8 @@ tunnel_dns(int tun_fd, int dns_fd)
users[userid].last_pkt = time(NULL); users[userid].last_pkt = time(NULL);
login_calculate(logindata, 16, password, users[userid].seed); login_calculate(logindata, 16, password, users[userid].seed);
if (dummy.q.fromlen != users[userid].addrlen || if (check_ip && (dummy.q.fromlen != users[userid].addrlen ||
memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0) { memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0)) {
write_dns(dns_fd, &(dummy.q), "BADIP", 5); write_dns(dns_fd, &(dummy.q), "BADIP", 5);
} else { } else {
if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) { if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) {
@ -248,8 +249,8 @@ tunnel_dns(int tun_fd, int dns_fd)
} }
/* Check sending ip number */ /* Check sending ip number */
if (dummy.q.fromlen != users[userid].addrlen || if (check_ip && (dummy.q.fromlen != users[userid].addrlen ||
memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0) { memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0)) {
write_dns(dns_fd, &(dummy.q), "BADIP", 5); write_dns(dns_fd, &(dummy.q), "BADIP", 5);
} else { } else {
/* decode with this users encoding */ /* decode with this users encoding */
@ -402,7 +403,7 @@ static void
usage() { usage() {
extern char *__progname; extern char *__progname;
printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] " printf("Usage: %s [-v] [-h] [-c] [-s] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] "
"[-l ip address to listen on] [-p port] [-P password]" "[-l ip address to listen on] [-p port] [-P password]"
" tunnel_ip topdomain\n", __progname); " tunnel_ip topdomain\n", __progname);
exit(2); exit(2);
@ -413,11 +414,13 @@ help() {
extern char *__progname; extern char *__progname;
printf("iodine IP over DNS tunneling server\n"); printf("iodine IP over DNS tunneling server\n");
printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] " printf("Usage: %s [-v] [-h] [-c] [-s] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] "
"[-l ip address to listen on] [-p port] [-P password]" "[-l ip address to listen on] [-p port] [-P password]"
" tunnel_ip topdomain\n", __progname); " tunnel_ip topdomain\n", __progname);
printf(" -v to print version info and exit\n"); printf(" -v to print version info and exit\n");
printf(" -h to print this help and exit\n"); printf(" -h to print this help and exit\n");
printf(" -c to disable check of client IP/port on each request\n");
printf(" -s to skip creating and configuring the tun device which then has to be created manually\n");
printf(" -f to keep running in foreground\n"); printf(" -f to keep running in foreground\n");
printf(" -u name to drop privileges and run as user 'name'\n"); printf(" -u name to drop privileges and run as user 'name'\n");
printf(" -t dir to chroot to directory dir\n"); printf(" -t dir to chroot to directory dir\n");
@ -463,6 +466,7 @@ main(int argc, char **argv)
mtu = 1024; mtu = 1024;
listen_ip = INADDR_ANY; listen_ip = INADDR_ANY;
port = 53; port = 53;
check_ip = 1;
skipipconfig = 0; skipipconfig = 0;
b32 = get_base32_encoder(); b32 = get_base32_encoder();
@ -478,11 +482,14 @@ main(int argc, char **argv)
memset(password, 0, sizeof(password)); memset(password, 0, sizeof(password));
srand(time(NULL)); srand(time(NULL));
while ((choice = getopt(argc, argv, "vsfhu:t:d:m:l:p:P:")) != -1) { while ((choice = getopt(argc, argv, "vcsfhu:t:d:m:l:p:P:")) != -1) {
switch(choice) { switch(choice) {
case 'v': case 'v':
version(); version();
break; break;
case 'c':
check_ip = 0;
break;
case 's': case 's':
skipipconfig = 1; skipipconfig = 1;
break; break;