From 0d3494ae7887f2e171f0d4958ffddad1c308e569 Mon Sep 17 00:00:00 2001 From: Erik Ekman Date: Sat, 12 Jul 2008 22:39:29 +0000 Subject: [PATCH] Added -c flag to disable IP/port checking in each request --- CHANGELOG | 2 ++ man/iodine.8 | 16 ++++++++++------ src/iodined.c | 21 ++++++++++++++------- 3 files changed, 26 insertions(+), 13 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index cce25f7..cc14788 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -12,6 +12,8 @@ CHANGES: - Applied a security patch from Andrew Griffiths, use setgroups() to limit the groups of the user - Applied a patch to make iodine work on (Open)Solaris, from Albert Lee + - Added option in server (-c) to disable IP/port checking on each packet, + will hopefully help when server is behind NAT 2007-11-30: 0.4.1 "Tea Online" - Introduced encoding API diff --git a/man/iodine.8 b/man/iodine.8 index ac7a9eb..2559b35 100644 --- a/man/iodine.8 +++ b/man/iodine.8 @@ -1,5 +1,5 @@ .\" groff -man -Tascii iodine.8 -.TH IODINE 8 "JUN 2007" "User Manuals" +.TH IODINE 8 "JUL 2008" "User Manuals" .SH NAME iodine, iodined \- tunnel IPv4 over DNS .SH SYNOPSIS @@ -25,7 +25,7 @@ iodine, iodined \- tunnel IPv4 over DNS .B iodined [-h] -.B iodined [-f] [-s] [-u +.B iodined [-c] [-s] [-f] [-u .I user .B ] [-P .I password @@ -62,10 +62,6 @@ Print usage info and exit. .B -f Keep running in foreground. .TP -.B -s -Don't try to configure IP address or MTU. This should only be used if -you have already configured the device that will be used. -.TP .B -u user Drop privileges and run as user 'user' after setting up tunnel. .TP @@ -82,6 +78,14 @@ Use the TUN device 'device' instead of the normal one, which is dnsX on Linux and otherwise tunX. .SS Server Options: .TP +.B -c +Disable checks on client IP and port on all incoming requests. +This might help if server is behind a NAT firewall. +.TP +.B -s +Don't try to configure IP address or MTU. This should only be used if +you have already configured the device that will be used. +.TP .B -m mtu Set 'mtu' as mtu size for the tunnel device. This will be sent to the client on connect, and the client will use the same mtu. diff --git a/src/iodined.c b/src/iodined.c index 1a9f466..f1e8538 100644 --- a/src/iodined.c +++ b/src/iodined.c @@ -49,6 +49,7 @@ static char *topdomain; static char password[33]; static struct encoder *b32; +static int check_ip; static int my_mtu; static in_addr_t my_ip; @@ -191,8 +192,8 @@ tunnel_dns(int tun_fd, int dns_fd) users[userid].last_pkt = time(NULL); login_calculate(logindata, 16, password, users[userid].seed); - if (dummy.q.fromlen != users[userid].addrlen || - memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0) { + if (check_ip && (dummy.q.fromlen != users[userid].addrlen || + memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0)) { write_dns(dns_fd, &(dummy.q), "BADIP", 5); } else { if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) { @@ -248,8 +249,8 @@ tunnel_dns(int tun_fd, int dns_fd) } /* Check sending ip number */ - if (dummy.q.fromlen != users[userid].addrlen || - memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0) { + if (check_ip && (dummy.q.fromlen != users[userid].addrlen || + memcmp(&(users[userid].host), &(dummy.q.from), dummy.q.fromlen) != 0)) { write_dns(dns_fd, &(dummy.q), "BADIP", 5); } else { /* decode with this users encoding */ @@ -402,7 +403,7 @@ static void usage() { extern char *__progname; - printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] " + printf("Usage: %s [-v] [-h] [-c] [-s] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] " "[-l ip address to listen on] [-p port] [-P password]" " tunnel_ip topdomain\n", __progname); exit(2); @@ -413,11 +414,13 @@ help() { extern char *__progname; printf("iodine IP over DNS tunneling server\n"); - printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] " + printf("Usage: %s [-v] [-h] [-c] [-s] [-f] [-u user] [-t chrootdir] [-d device] [-m mtu] " "[-l ip address to listen on] [-p port] [-P password]" " tunnel_ip topdomain\n", __progname); printf(" -v to print version info and exit\n"); printf(" -h to print this help and exit\n"); + printf(" -c to disable check of client IP/port on each request\n"); + printf(" -s to skip creating and configuring the tun device which then has to be created manually\n"); printf(" -f to keep running in foreground\n"); printf(" -u name to drop privileges and run as user 'name'\n"); printf(" -t dir to chroot to directory dir\n"); @@ -463,6 +466,7 @@ main(int argc, char **argv) mtu = 1024; listen_ip = INADDR_ANY; port = 53; + check_ip = 1; skipipconfig = 0; b32 = get_base32_encoder(); @@ -478,11 +482,14 @@ main(int argc, char **argv) memset(password, 0, sizeof(password)); srand(time(NULL)); - while ((choice = getopt(argc, argv, "vsfhu:t:d:m:l:p:P:")) != -1) { + while ((choice = getopt(argc, argv, "vcsfhu:t:d:m:l:p:P:")) != -1) { switch(choice) { case 'v': version(); break; + case 'c': + check_ip = 0; + break; case 's': skipipconfig = 1; break;