wiki:TipsAndTricks

Version 13 (modified by guest, 5 years ago) (diff)

Added iptables rules to make raw login work (vjt@…)

Tips and tricks

Separating iodine traffic to a different port

iptables can be configured to inspect packets and filter based on specific strings found inside the data. This can be used to filter out iodine traffic from other dns traffic and send it to a different port internally.

iptables -t nat -A PREROUTING -p udp --dport 53   -m string --algo bm --from 20 --hex-string "|024a4a0364615000|" -j REDIRECT --to-ports 5353

Where the hex data is found by inspecting your iodine traffic. See more here  http://www.wormnet.eu/dns/vpn

To make raw login work, you must match two different parts of the DNS packet, and this can be accomplished using route marking:

iptables -t mangle -A PREROUTING -p udp --dport 53 -m string --algo bm --from 0 --hex-string "|45000030|" -j MARK --or-mark 2
iptables -t mangle -A PREROUTING -p udp --dport 53 -m string --algo bm --from 12 --hex-string "|50437506|" -j MARK --or-mark 1
iptables -t nat -A PREROUTING -p udp --dport 53 -m mark --mark 0x3 -j REDIRECT --to-ports 5353

Running together with BIND9

iodined must be started with "-p 5353" since 53/udp is used by BIND

and BIND must be configured to forward requests:

zone "i.xxx.yyy" {
 type forward;
 forwarders{
  127.0.0.1 port 5353;
 };
};

Note that doing this requires recursion to be enabled for the client. This can be enabled by inserting

allow-recursion { any; };

into your named.conf (/etc/bind/named.conf.options by default on Debian), but be aware that this will turn your DNS server into an open relay.

Running on another port

If your port 53 is taken on a specific interface by an application that does not use it, use -p on iodined to specify an alternate port (like -p 5353) and use for instance iptables (on Linux) to forward the traffic:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353

(Sent in by Tom Schouten)

Routing script for OS X, Linux and FreeBSD

 http://www.doeshosting.com/code/NStun.sh
(by krzee)

iodine-jigger script from the debian package

 http://svn.toastfreeware.priv.at/wsvn/ToastfreewareDebian/iodine/trunk/debian/iodine-jigger

Routing script for WIN32

It's a shell script. You need  Unix Tools, and to set the path environnement variable. (Note, the script seems to be made for french version of Windows, you may need to adjust the strings)
To launch it, use the command "sh iodine.sh" . If you got a problem, launch with the command "sh -xv iodine.sh", and we will be able to help you on irc!
The server must have the "-c" option.
After closing the tunnel, you can restore routes with theses commands "ipconfig /release" + "ipconfig /renew".

iodine.sh :

DOMAIN=mytunnel.mydomain.com
PASSWORD=XXXXX

PATH="$PATH;./"
IODINE=`which iodine.exe`
GREP=`which grep`
CUT=`which cut`
RT=`which route`
IPCONFIG=`which ipconfig`
GATEWAY=`$IPCONFIG /all | grep "Passerelle" | cut -d ":" -f2`
DNS=`$IPCONFIG /all | grep "Serveurs DNS" | cut -d ":" -f2`

$RT delete 0.0.0.0
#$RT add $DNS MASK 255.255.255.255 $GATEWAY
$RT add $DNS $GATEWAY

$IODINE -fP $PASSWORD $DNS $DOMAIN