wiki:TipsAndTricks

Version 14 (modified by guest, 6 years ago) (diff)

Improve presentation of the iodine side-by-side to another DNS server solution (vjt@…)

Tips and tricks

Running iodine side-by-side with another DNS server

iodine must be running on a port different than 53, and iptables can be configured to inspect packets and filter based on specific strings found inside them. This can be used to filter out iodine traffic from other DNS traffic and send it to the iodine port:

iptables -t nat -A PREROUTING -p udp --dport 53 -m string --algo bm --from 20 --hex-string "|024a4a0364615000|" -j REDIRECT --to-ports 5353

The hex string is your subdomain in network byte order, and can be found by inspecting your iodine traffic with tcpdump(8). See more here  http://www.wormnet.eu/dns/vpn

The above practice doesn't allow raw logins, as the raw traffic packets do not contain the DNS subdomain - but they still contain static bytes that can be used to match against. Because the two static strings enclose variable data, you must match two different parts of the DNS packet. This can be accomplished using route marking:

iptables -t mangle -A PREROUTING -p udp --dport 53 -m string --algo bm --from 0 --hex-string "|45000030|" -j MARK --or-mark 2
iptables -t mangle -A PREROUTING -p udp --dport 53 -m string --algo bm --from 12 --hex-string "|50437506|" -j MARK --or-mark 1
iptables -t nat -A PREROUTING -p udp --dport 53 -m mark --mark 0x3 -j REDIRECT --to-ports 5353

Running iodine behind BIND9

iodined must be started with "-p 5353" since 53/udp is used by BIND

and BIND must be configured to forward requests:

zone "i.xxx.yyy" {
 type forward;
 forwarders{
  127.0.0.1 port 5353;
 };
};

Note that doing this requires recursion to be enabled for the client. This can be enabled by inserting

allow-recursion { any; };

into your named.conf (/etc/bind/named.conf.options by default on Debian), but be aware that this will turn your DNS server into an open relay, and as such it is discouraged.

Running on another port

If your port 53 is taken on a specific interface by an application that does not use it, use -p on iodined to specify an alternate port (like -p 5353) and use for instance iptables (on Linux) to forward the traffic:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353

(Sent in by Tom Schouten)

Routing script for OS X, Linux and FreeBSD

 http://www.doeshosting.com/code/NStun.sh
(by krzee)

iodine-jigger script from the debian package

 http://svn.toastfreeware.priv.at/wsvn/ToastfreewareDebian/iodine/trunk/debian/iodine-jigger

Routing script for WIN32

It's a shell script. You need  Unix Tools, and to set the path environnement variable. (Note, the script seems to be made for french version of Windows, you may need to adjust the strings)
To launch it, use the command "sh iodine.sh" . If you got a problem, launch with the command "sh -xv iodine.sh", and we will be able to help you on irc!
The server must have the "-c" option.
After closing the tunnel, you can restore routes with theses commands "ipconfig /release" + "ipconfig /renew".

iodine.sh :

DOMAIN=mytunnel.mydomain.com
PASSWORD=XXXXX

PATH="$PATH;./"
IODINE=`which iodine.exe`
GREP=`which grep`
CUT=`which cut`
RT=`which route`
IPCONFIG=`which ipconfig`
GATEWAY=`$IPCONFIG /all | grep "Passerelle" | cut -d ":" -f2`
DNS=`$IPCONFIG /all | grep "Serveurs DNS" | cut -d ":" -f2`

$RT delete 0.0.0.0
#$RT add $DNS MASK 255.255.255.255 $GATEWAY
$RT add $DNS $GATEWAY

$IODINE -fP $PASSWORD $DNS $DOMAIN