mmlb7 has joined #nixos-on-your-router
codyopel has joined #nixos-on-your-router
dtz has joined #nixos-on-your-router
codyopel has quit [Read error: Connection reset by peer]
dtz has quit [Read error: Connection reset by peer]
codyopel has joined #nixos-on-your-router
dtz has joined #nixos-on-your-router
<gchristensen> I need to fill a big gap in my brain about how to work with iptables, and how to debug when things don't work
<gchristensen> specifically around tap/tun/bridges and NAT
<gchristensen> any good books or something?
<sphalerite> tcpdump all the things! :p
<cransom> +1. tcpdump and logging help a lot.
<gchristensen> so I've tried that
<gchristensen> but it doens't seem to dump data over br0 or tap0
<gchristensen> maybe it does :|
<gchristensen> some of my filters were over-filtering
<gchristensen> is there a way to express "not port 22 and not host my.ip.add.r" except where both must be true for the data to be skipped?
<gchristensen> what does logging mean specifically?
<cransom> you can log the dropped packets from iptables to see if it's iptables doing that.
<gchristensen> aye, so I think I've done that
<cransom> i'm having troube parsing the 'except where both must be true for the data to be skipped'
<gchristensen> ah
<gchristensen> it seems that if I do "not port 22 and not host x.x.x.x" that if it is port 22 traffic, it is dropped
<gchristensen> if it is traffic to my host, it is dropped
<cransom> you can add in src and dst as well to both of those to filter more accurately.
<cransom> like, not dst (maybe dest?) host my.ip and not dst port 22 that would filter just the ssh to your host.
<clever> gchristensen: it might be parsing your expr as "not (port 22 and not host x.x.x.x)"
<clever> gchristensen: and it may or may not help to try `-d`, tcpdump -d "not port 22 and not host"
<gchristensen> hmmm cool
<clever> (001) jeq #0x86dd jt 2 jf 10
<clever> jumptrue, jumpfalse
<clever> (000) ldh [12]
<clever> its testing if byte 12 is 86dd, but in my wiresharkl i see an 0800 at roughly that offset
<clever> (010) jeq #0x800 jt 11 jf 26
<clever> and when false, it tests for that next
<clever> and 0x800 means its ipv4
<clever> (011) ldb [23]
<clever> (013) jeq #0x6 jt 15 jf 14
<clever> (012) jeq #0x84 jt 15 jf 13
<clever> offset 23 is then the protocol within the IP packet (0x6, in my case, tcp)
<clever> but the filter will also accept 0x84 (unknown) and 0x11 (udp)
<clever> (015) ldh [20]
<clever> (016) jset #0x1fff jt 22 jf 17
<clever> gchristensen: then it tests the flags field in the tcp header, which is set to 0x4000, and i start to get lost
<clever> (022) ld [26]
<clever> (023) jeq #0x1020304 jt 32 jf 24
<clever> gchristensen: and here, its checking the src ip against
<clever> i can see appearing 4 times, for the tcp src/dst, and udp src/dst
<gchristensen> :o
<clever> each has its own offset, you didnt say which to match against, and the BPF syntax is too dumb to "just check the ip"
<clever> so tcpdump compiles it into 4 seperate checks
<gchristensen> :o
<gchristensen> my god
<clever> gchristensen: and if your feeling nuts, i think you can define your own BPF script!!
<gchristensen> nooope