Jan Taczanowski's tech blog

Preparing Raspberry Pi for building additional kernel modules.

01/11/2018 Jan Taczanowski 1 Comment

Today I was trying to build ipt-netflow kernel module on my Raspberry Pi with Raspbian linux. For hours I was stuck with proper system setup to make it ready for compiling additional kernel modules. The problem was with make prepare modules_prepare command which gives me such error:

root@raspberrypi:/usr/src/linux-headers-4.9.59+# make prepare modules_prepare
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
make[1]: *** No rule to make target 'arch/arm/tools/gen-mach-types', needed by 'include/generated/mach-types.h'.  Stop.
arch/arm/Makefile:315: recipe for target 'archprepare' failed
make: *** [archprepare] Error 2

root@raspberrypi:/usr/src/linux-headers-4.9.59+# make prepare modules_prepare

CHK include/config/kernel.release

CHK include/generated/uapi/linux/version.h

CHK include/generated/utsrelease.h

make[1]: *** No rule to make target 'arch/arm/tools/gen-mach-types', needed by 'include/generated/mach-types.h'. Stop.

arch/arm/Makefile:315: recipe for target 'archprepare' failed

make: *** [archprepare] Error 2

Google was not very helpful with this problem. Finally, basing on various trops, I got it worked. Uff.. Here is the proper way to setup Raspberry Pi for compiling additional kernel modules:

Install kernel headers and other tools:

apt-get update
apt-get install raspberrypi-kernel-headers module-assistant pkg-config libncurses5-dev

1 2	apt-get update apt-get install raspberrypi-kernel-headers module-assistant pkg-config libncurses5-dev

Install rpi-source tool. This downloading full kernel sources, not only kernel headers.

wget https://raw.githubusercontent.com/notro/rpi-source/master/rpi-source -O /usr/bin/rpi-source
chmod +x /usr/bin/rpi-source
/usr/bin/rpi-source -q --tag-update

wget https://raw.githubusercontent.com/notro/rpi-source/master/rpi-source -O /usr/bin/rpi-source

chmod +x /usr/bin/rpi-source

/usr/bin/rpi-source -q --tag-update

Install kernel sources (Lack of this was the cause of problems).

rpi-source --skip-gcc

1	rpi-source --skip-gcc

You will see something like that:

root@raspberrypi:/home/pi# rpi-source --skip-gcc

 *** Using: /usr/share/doc/raspberrypi-bootloader/changelog.Debian.gz

 *** Latest firmware revision: 12e0bf86e08d6067372bc0a45d7e8a10d3113210

 *** Linux source commit: 36612d5d7a88672a3e7dd6cb458dbbbca0d75efe

 *** Kernel source already installed: /root/linux-36612d5d7a88672a3e7dd6cb458dbbbca0d75efe

root@raspberrypi:/home/pi# rpi-source --skip-gcc

*** Using: /usr/share/doc/raspberrypi-bootloader/changelog.Debian.gz

*** Latest firmware revision: 12e0bf86e08d6067372bc0a45d7e8a10d3113210

*** Linux source commit: 36612d5d7a88672a3e7dd6cb458dbbbca0d75efe

*** Kernel source already installed: /root/linux-36612d5d7a88672a3e7dd6cb458dbbbca0d75efe

I suggest you create a symlink to /usr/src/linux:

ln -s /root/linux-36612d5d7a88672a3e7dd6cb458dbbbca0d75efe /usr/src/linux

1	ln -s /root/linux-36612d5d7a88672a3e7dd6cb458dbbbca0d75efe /usr/src/linux

Copy current kernel config to downloaded kernel sources and make oldconfig:

modprobe configs
cd /usr/src/linux
zcat /proc/config.gz > .config
make oldconfig

modprobe configs

cd /usr/src/linux

zcat /proc/config.gz > .config

make oldconfig

Run module assistant:

m-a prepare

1	m-a prepare

Prepare kernel for modules compilation:

make prepare modules_prepare

1	make prepare modules_prepare

After this steps I was able to compile third party kernel modules. 🙂
At the end I would like to highly recommend ipt-netflow kernel module – it is very robust solution for sending netflows from linux machines.

Transparent http proxy with Golang and tproxy

27/09/2018 Jan Taczanowski 3 Comments

Recently I started interesting in Go language. First impressions of programming in Go are very good. In short brief, I like simplicity of this language, that you can not complicate the code too much. Goroutines and channels looks promising as solution for concurrency, and it seems simple to use. Static compiled binaries are easy to deploy. Performance is good.

I would like to share description and simple implementation in Go of fully transparent reverse or forward http proxy.

Go standard libraries – net/http and net/http/httputil provides everything needed to implement it.
Below the simplest implementation of http proxy:

package main

import (
	"log"
	"net/http"
	"net/http/httputil"
	"net/url"
)

func main() {
	log.Printf("Starting...")
	http.HandleFunc("/", ProxyFunc)
	log.Fatal(http.ListenAndServe(":8888", nil))
}

func ProxyFunc(w http.ResponseWriter, r *http.Request) {
	u, _ := url.Parse(r.URL.Scheme + "://" + r.URL.Host)
	proxy := httputil.NewSingleHostReverseProxy(u)
	proxy.ServeHTTP(w, r)

}

package main

import (

"log"

"net/http"

"net/http/httputil"

"net/url"

)

func main() {

log.Printf("Starting...")

http.HandleFunc("/", ProxyFunc)

log.Fatal(http.ListenAndServe(":8888", nil))

}

func ProxyFunc(w http.ResponseWriter, r *http.Request) {

u, _ := url.Parse(r.URL.Scheme + "://" + r.URL.Host)

proxy := httputil.NewSingleHostReverseProxy(u)

proxy.ServeHTTP(w, r)

}

Now, we can just set http proxy in browser and it will be working.

Transparent http proxy

But what if we want to to setup fully transparent proxy? For example: when we don’t want to configure manually browser on clients, but all outgoing http traffic should be pass by proxy for some reasons – logging, caching, make security scan for viruses etc. In this scenario transparent proxy is located between the client and the internet. Another use case of transparent http proxy is to set up it inline in communication between services in data center and performing some operations like traffic filtering, checking authorization etc.

System Configuration (routing table, tproxy)

I will describing scenario where http transparent proxy is acting on router which is the default gateway for my local network.
My network looks as follows:

+------------------------------------------+   +--------------------------------------------+
|                                          |   |                                            |
|                        +-----------------+---+----------------+                           |
|   Local network        |       Router, gateway on Linux       |     Wan Network           |
|   192.168.1.1/24 -->>  |           http proxy in Go           |     37.247.61.7 -->>      |
|   eth1                 |                                      |     eth0                  |
|                        +-----------------+---+----------------+                           |
|                                          |   |                                            |
+------------------------------------------+   +--------------------------------------------+

+------------------------------------------+ +--------------------------------------------+

| | | |

| +-----------------+---+----------------+ |

| Local network | Router, gateway on Linux | Wan Network |

| 192.168.1.1/24 -->> | http proxy in Go | 37.247.61.7 -->> |

| eth1 | | eth0 |

| +-----------------+---+----------------+ |

| | | |

+------------------------------------------+ +--------------------------------------------+

Tproxy will be use to redirect traffic.
Tproxy allows as to redirect traffic designated to remote location to the local process.

From Linux 4.18 tproxy is included in nf_tables.

How tproxy works in details is described here:
https://www.kernel.org/doc/Documentation/networking/tproxy.txt
https://powerdns.org/tproxydoc/tproxy.md.html
https://people.netfilter.org/hidden/nfws/nfws-2008-tproxy_slides.pdf

Configuration of routing table and tproxy:

# create new routing table and tell that 0.0.0.0/0 addresses range is a local addresses...
ip route add local 0.0.0.0/0 dev lo table 100

# redirect marked packets to table created above
ip rule add fwmark 1 lookup 100

# mark packets with dst port = 80 (and use route table 100) nad redirect to Go http proxy listening on 127.0.0.1:8888
iptables -t mangle -A PREROUTING -s 192.166.1.0/24 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8888 --on-ip 127.0.0.1

# create new routing table and tell that 0.0.0.0/0 addresses range is a local addresses...

ip route add local 0.0.0.0/0 dev lo table 100

# redirect marked packets to table created above

ip rule add fwmark 1 lookup 100

# mark packets with dst port = 80 (and use route table 100) nad redirect to Go http proxy listening on 127.0.0.1:8888

iptables -t mangle -A PREROUTING -s 192.166.1.0/24 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8888 --on-ip 127.0.0.1

Http proxy in Go

I had to wait for Go 1.11 to be able to create custom socket with IP_TRANSPARENT param. From Go 1.11 there is possible to pass socket option before start listening or dialing. ListenConfig provide this.
https://go-review.googlesource.com/c/go/+/72810
https://golang.org/pkg/net/#ListenConfig

The key in implementation is to create custom listener for http.Serve and use LocalAddrContextKey to get destinetion address to which client want to connect. In fact address:port values from http.LocalAddrContextKey, are the values from local socket dynamicly created by tproxy.

package main

import (
	"context"
	"fmt"
	"log"
	"net"
	"net/http"
	"net/http/httputil"
	"syscall"
)

//SetSocketOptions functions sets IP_TRANSPARENT flag on given socket (c syscall.RawConn)
func SetSocketOptions(network string, address string, c syscall.RawConn) error {

	var fn = func(s uintptr) {
		var setErr error
		var getErr error
		setErr = syscall.SetsockoptInt(int(s), syscall.SOL_IP, syscall.IP_TRANSPARENT, 1)
		if setErr != nil {
			log.Fatal(setErr)
		}

		val, getErr := syscall.GetsockoptInt(int(s), syscall.SOL_IP, syscall.IP_TRANSPARENT)
		if getErr != nil {
			log.Fatal(getErr)
		}
		log.Printf("value of IP_TRANSPARENT option is: %d", int(val))
	}
	if err := c.Control(fn); err != nil {
		return err
	}

	return nil

}

func main() {

	http.HandleFunc("/", TransparentHttpProxy)

	// here we are creating custom listener with transparent socket, possible with Go 1.11+
	lc := net.ListenConfig{Control: SetSocketOptions}
	listener, _ := lc.Listen(context.Background(), "tcp", ":8888")

	log.Printf("Starting http proxy")
	log.Fatal(http.Serve(listener, nil))

}

func TransparentHttpProxy(w http.ResponseWriter, r *http.Request) {

	director := func(target *http.Request) {
		target.URL.Scheme = "http"
		target.URL.Path = r.URL.Path
		target.Header.Set("Pass-Via-Go-Proxy", "1")
		/*
			Line below of this comment this is the quite tricky part of the configuration,
			necessary to make transparent proxy working.

			From http.LocalAddrContextKey we can get address:port destination of client requst.
			In fact address:port values from http.LocalAddrContextKey,
			are the values from socket dynamicly created by tproxy.
			This will be used to create a connection between the proxy and the destination,
			to which the client request will be pass.
		*/
		target.URL.Host = fmt.Sprint(r.Context().Value(http.LocalAddrContextKey))
	}
	proxy := &httputil.ReverseProxy{Director: director}
	proxy.ServeHTTP(w, r)

}

package main

import (

"context"

"fmt"

"log"

"net"

"net/http"

"net/http/httputil"

"syscall"

)

//SetSocketOptions functions sets IP_TRANSPARENT flag on given socket (c syscall.RawConn)

func SetSocketOptions(network string, address string, c syscall.RawConn) error {

var fn = func(s uintptr) {

var setErr error

var getErr error

setErr = syscall.SetsockoptInt(int(s), syscall.SOL_IP, syscall.IP_TRANSPARENT, 1)

if setErr != nil {

log.Fatal(setErr)

}

val, getErr := syscall.GetsockoptInt(int(s), syscall.SOL_IP, syscall.IP_TRANSPARENT)

if getErr != nil {

log.Fatal(getErr)

}

log.Printf("value of IP_TRANSPARENT option is: %d", int(val))

}

if err := c.Control(fn); err != nil {

return err

}

return nil

}

func main() {

http.HandleFunc("/", TransparentHttpProxy)

// here we are creating custom listener with transparent socket, possible with Go 1.11+

lc := net.ListenConfig{Control: SetSocketOptions}

listener, _ := lc.Listen(context.Background(), "tcp", ":8888")

log.Printf("Starting http proxy")

log.Fatal(http.Serve(listener, nil))

}

func TransparentHttpProxy(w http.ResponseWriter, r *http.Request) {

director := func(target *http.Request) {

target.URL.Scheme = "http"

target.URL.Path = r.URL.Path

target.Header.Set("Pass-Via-Go-Proxy", "1")

Line below of this comment this is the quite tricky part of the configuration,

necessary to make transparent proxy working.

From http.LocalAddrContextKey we can get address:port destination of client requst.

In fact address:port values from http.LocalAddrContextKey,

are the values from socket dynamicly created by tproxy.

This will be used to create a connection between the proxy and the destination,

to which the client request will be pass.

target.URL.Host = fmt.Sprint(r.Context().Value(http.LocalAddrContextKey))

}

proxy := &httputil.ReverseProxy{Director: director}

proxy.ServeHTTP(w, r)

}

Starting proxy:

router:/golang_proxy # go run proxy.go
2018/09/24 21:23:15 value of IP_TRANSPARENT option is: 1
2018/09/24 21:23:15 Starting http proxy

router:/golang_proxy # go run proxy.go

2018/09/24 21:23:15 value of IP_TRANSPARENT option is: 1

2018/09/24 21:23:15 Starting http proxy

Client from local network (192.168.1.6) is connecting to remote site on port 217.73.181.197:80. This connection is handled through the proxy.
Nestat is showing one very interesting thing:

router:~ # netstat -tpna | grep proxy | grep ESTABLISHED
tcp        0      0 37.247.61.7:57554       217.73.181.197:80       ESTABLISHED 12777/proxy
tcp        0      0 217.73.181.197:80       192.168.1.6:59752       ESTABLISHED 12777/proxy

router:~ # netstat -tpna | grep proxy | grep ESTABLISHED

tcp 0 0 37.247.61.7:57554 217.73.181.197:80 ESTABLISHED 12777/proxy

tcp 0 0 217.73.181.197:80 192.168.1.6:59752 ESTABLISHED 12777/proxy

Tproxy created tcp socket with remote site address (217.73.181.197:80) on my local machine. My router has only 192.168.1.1 and 37.247.61.7 addresses, routing table 100 does the job.
Go http proxy after receive request from client (192.168.1.6), made a connection to exactly the same address:port as it received. MAGIC! 🙂

Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct

01/05/2018 Jan Taczanowski 14 Comments

Hi,

For some time I’ve been looking for a simple way to protect my Asterisk SIP pbx against attacks from bots, scanners which scans and trying dialing to premium numbers. Opening SIP port to the internet causes that there was no one minute without suspect requests hitting my Asterisk. The log was full of that attempts.

While analyzing this problem I noticed that bots, scanners, attackers using everywhere IP address of my server to trying break it. While my proper clients using domain of my Asterisk server. If user is using domain name in his SIP client/phone,this domain is used in further communication on SIP protocol.

Below I will show example of INVITE (INVITE is using to establish VoIP call) SIP request from user using domain name (sip.example.com), and from user using IP address (10.10.10.10) of Asterisk server.

With domain:

INVITE sip:202@sip.example.com:5060 SIP/2.0
Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed
Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport
Route: <sip:sip.example.com:5060;lr>
Max-Forwards: 70
From: "107" <sip:107@sip.example.com:5060>;tag=d04f22eca5
To: <sip:202@sip.example.com:5060>;tag=as5bf765cf
Call-ID: 01f0d32f2156bb22
CSeq: 1027520776 INVITE

INVITE sip:202@sip.example.com:5060 SIP/2.0

Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed

Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport

Route: <sip:sip.example.com:5060;lr>

Max-Forwards: 70

From: "107" <sip:107@sip.example.com:5060>;tag=d04f22eca5

To: <sip:202@sip.example.com:5060>;tag=as5bf765cf

Call-ID: 01f0d32f2156bb22

CSeq: 1027520776 INVITE

With IP address:

INVITE sip:202@10.10.10.10:5060 SIP/2.0
Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed
Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport
Route: <sip:10.10.10.10:5060;lr>
Max-Forwards: 70
From: "107" <sip:107@10.10.10.10:5060>;tag=d04f22eca5
To: <sip:202@10.10.10.10:5060>;tag=as5bf765cf
Call-ID: 01f0d32f2156bb22
CSeq: 1027520776 INVITE

INVITE sip:202@10.10.10.10:5060 SIP/2.0

Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed

Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport

Route: <sip:10.10.10.10:5060;lr>

Max-Forwards: 70

From: "107" <sip:107@10.10.10.10:5060>;tag=d04f22eca5

To: <sip:202@10.10.10.10:5060>;tag=as5bf765cf

Call-ID: 01f0d32f2156bb22

CSeq: 1027520776 INVITE

Knowing that, I want to block requests to Asterisk server which are NOT contains my domain name. In this point I want to clarify that I have special subdomain for telephones. Bots, scanners, attackers are not knowing about this domain.
Blocking unwanted requests can be done by iptables rules with string matching.

# UDP port 5060 rule
# Allow for currently established SIP connection
iptables -A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow for packets witch contain my domain name
iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT
# Drop other packets (without my domain)
iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p udp --dport 5060 -j DROP

# UDP port 5060 rule

# Allow for currently established SIP connection

iptables -A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow for packets witch contain my domain name

iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT

# Drop other packets (without my domain)

iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p udp --dport 5060 -j DROP

# TCP port 5060 rule
# Allow for packet which contain my domain name
iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT
# Block other SIP request like REGISTER INVITE OPTION if they not contain my domain name
iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
# Allow to establish TCP connection and other packets then REGISTER INVITE OPTIONS (without domain)
iptables -A INPUT -i eth0 -p tcp --dport 5060 -j ACCEPT

# TCP port 5060 rule

# Allow for packet which contain my domain name

iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT

# Block other SIP request like REGISTER INVITE OPTION if they not contain my domain name

iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP

# Allow to establish TCP connection and other packets then REGISTER INVITE OPTIONS (without domain)

iptables -A INPUT -i eth0 -p tcp --dport 5060 -j ACCEPT

Differences between rules result from different approach between TCP and UDP protocols when establishing a connection. TCP need to do three way handshake to establish connection, UDP not doing this.

After applying these rules, I did not see even one attack 🙂
At the and we can check increasing iptables counters:

asterisk:~ # iptables -nvL
Chain INPUT (policy ACCEPT 74700 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   50 42859 ACCEPT     tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 STRING match  "sip.example.com"
   14 10038 DROP       tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 STRING match  "REGISTER sip:"
    0     0 DROP       tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 STRING match  "INVITE sip:"
    0     0 DROP       tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 STRING match  "OPTIONS sip:"
  685  215K ACCEPT     tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060
   51 32475 ACCEPT     udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 state RELATED,ESTABLISHED
    2  1487 ACCEPT     udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sip.example.com"
   10  6930 DROP       udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "REGISTER sip:"
    0     0 DROP       udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "INVITE sip:"
    4  1725 DROP       udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "OPTIONS sip:"
    2    64 DROP       udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060

asterisk:~ # iptables -nvL

Chain INPUT (policy ACCEPT 74700 packets, 24M bytes)

pkts bytes target prot opt in out source destination

50 42859 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "sip.example.com"

14 10038 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "REGISTER sip:"

0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "INVITE sip:"

0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "OPTIONS sip:"

685 215K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060

51 32475 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state RELATED,ESTABLISHED

2 1487 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sip.example.com"

10 6930 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "REGISTER sip:"

0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "INVITE sip:"

4 1725 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "OPTIONS sip:"

2 64 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060

Strongswan IPsec on LEDE/OpenWRT with fast-classifier and shortcut-fe modules

10/02/2018 Jan Taczanowski 5 Comments

I have using TP-Link TL-WDR4300 router with LEDE software. Recently, thanks to fast-classifier and shortcut-fe modules the router got a second life 🙂 To my surprise after loading fast-classifier modules it can be able to pass 500Mb/s over NAT, which is absolutely great result 🙂

But after that I noticed that my site-to-site IPsec tunnel, based on Strongswan stopped working properly… Ping was working, tcp connections over tunnel could be established, but after passing some tcp packets the connection freezes. I suspected a problem with MTU, but that was not it.
After unload kmod-fast-classifier and kmod-shortcut-fe tunnel was working properly. I’m started to reading source code of fast-classifier and shortcut-fe modules. I found that:

/*
* Don't process packets that aren't being tracked by conntrack.
*/
ct = nf_ct_get(skb, &ctinfo);
if (unlikely(!ct)) {
    fast_classifier_incr_exceptions(FAST_CL_EXCEPTION_NO_CT);
    DEBUG_TRACE("no conntrack connection, ignoring\n");
    return NF_ACCEPT;
}
/*
* Don't process untracked connections.
*/
if (unlikely(nf_ct_is_untracked(ct))) {
    fast_classifier_incr_exceptions(FAST_CL_EXCEPTION_CT_NO_TRACK);
    DEBUG_TRACE("untracked connection\n");
    return NF_ACCEPT;
}

* Don't process packets that aren't being tracked by conntrack.

ct = nf_ct_get(skb, &ctinfo);

if (unlikely(!ct)) {

fast_classifier_incr_exceptions(FAST_CL_EXCEPTION_NO_CT);

DEBUG_TRACE("no conntrack connection, ignoring\n");

return NF_ACCEPT;

}

* Don't process untracked connections.

if (unlikely(nf_ct_is_untracked(ct))) {

fast_classifier_incr_exceptions(FAST_CL_EXCEPTION_CT_NO_TRACK);

DEBUG_TRACE("untracked connection\n");

return NF_ACCEPT;

}

I realized that the offloading which is doing by fast-classifier and shortcut-fe is basing on conntrack table. The next thought was that conntrack is needed to realize NAT. Only connection between my LAN and internet (WAN) should be tracked and should be in conntrack table. I don’t need to track connection beetween my local nets connected through site-to-site vpn! Connections between my local nets can be realized only based on routing table. I decided to disable conntrack for my local nets and see if it solved my problem.
My network looks as follows:

(router with LEDE) [192.168.0.0/24 | WAN IP] <<--IPsec tunnel over internet-->> [WAN IP | 192.168.1.0/24] (remote network)

1	(router with LEDE) [192.168.0.0/24 \| WAN IP] <<--IPsec tunnel over internet-->> [WAN IP \| 192.168.1.0/24] (remote network)

Strongswan configuration: /etc/ipsec.conf (192.168.0.0/24)

conn site_to_site_ipsec_tunnel
  dpdaction=clear
  dpddelay=20s
  authby=secret
  auto=add
  keyexchange=ikev2
  fragmentation=yes
  left=%any
  leftid=%any
  leftsubnet=192.168.0.0/24
  right=%any
  rightsubnet=192.168.1.0/24
  rightid=%any

conn site_to_site_ipsec_tunnel

dpdaction=clear

dpddelay=20s

authby=secret

auto=add

keyexchange=ikev2

fragmentation=yes

left=%any

leftid=%any

leftsubnet=192.168.0.0/24

right=%any

rightsubnet=192.168.1.0/24

rightid=%any

Strongswan configuration: /etc/ipsec.conf (192.168.1.0/24)

conn site_to_site_ipsec_tunnel
  authby=secret
  auto=start
  closeaction=restart
  dpddelay=20
  dpdaction=restart
  keyexchange=ikev2
  keyingtries=%forever
  fragmentation=yes
  left=%defaultroute
  leftsubnet=192.168.1.0/24
  right=<IP address of my IPsec gateway>
  rightid=%any
  rightsubnet=192.168.0.0/24

conn site_to_site_ipsec_tunnel

authby=secret

auto=start

closeaction=restart

dpddelay=20

dpdaction=restart

keyexchange=ikev2

keyingtries=%forever

fragmentation=yes

left=%defaultroute

leftsubnet=192.168.1.0/24

right=<IP address of my IPsec gateway>

rightid=%any

rightsubnet=192.168.0.0/24

File with secrets is the same on booth sides. /etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file
%any %any : PSK "mypassword"

1 2	# /etc/ipsec.secrets - strongSwan IPsec secrets file %any %any : PSK "mypassword"

Excluding particular connections from conntrack can be done by iptables with raw and conntrack module – I had to install them earlier.

opkg update
opkg install iptables-mod-conntrack-extra kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-raw

1 2	opkg update opkg install iptables-mod-conntrack-extra kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-raw

I excluded whole local network class – 192.168.0/0/12

iptables -t raw -A PREROUTING -s 192.168.0.0/12 -d 192.168.0.0/12 -j CT --notrack

1	iptables -t raw -A PREROUTING -s 192.168.0.0/12 -d 192.168.0.0/12 -j CT --notrack

Now my IPsec tunnel started passing traffic properly! 🙂 And there is no connections from my localnets in conntrack! (so fast-classifier not offloading this connections).
The only issue was that I was unable to connect to LEDE router (192.168.0.1) from my remote network behind IPsec tunnel. I resolved that by exclude IP of router from iptables rule:

iptables -t raw -A PREROUTING -m iprange --src-range 192.168.0.2-192.168.1.254 --dst-range 192.168.0.2-192.168.1.254 -j CT --notrack

1	iptables -t raw -A PREROUTING -m iprange --src-range 192.168.0.2-192.168.1.254 --dst-range 192.168.0.2-192.168.1.254 -j CT --notrack

I had to install iprange module before:

opkg install iptables-mod-iprange

1	opkg install iptables-mod-iprange

Now I can enjoy very fast internet connection with fast-classifier and fully working strongswan IPsec vpn connections 🙂