#nixos-on-your-router on 2019-04-16

00:21 mmlb7 has joined #nixos-on-your-router

11:49 codyopel has joined #nixos-on-your-router

12:21 dtz has joined #nixos-on-your-router

14:05 codyopel has quit [Read error: Connection reset by peer]

14:06 dtz has quit [Read error: Connection reset by peer]

14:32 codyopel has joined #nixos-on-your-router

14:52 dtz has joined #nixos-on-your-router

18:55 <gchristensen> I need to fill a big gap in my brain about how to work with iptables, and how to debug when things don't work

18:55 <gchristensen> specifically around tap/tun/bridges and NAT

18:55 <gchristensen> any good books or something?

19:09 <sphalerite> tcpdump all the things! :p

19:10 <cransom> +1. tcpdump and logging help a lot.

19:37 <gchristensen> so I've tried that

19:37 <gchristensen> but it doens't seem to dump data over br0 or tap0

19:38 <gchristensen> maybe it does :|

19:38 <gchristensen> some of my filters were over-filtering

19:39 <gchristensen> is there a way to express "not port 22 and not host my.ip.add.r" except where both must be true for the data to be skipped?

19:45 <gchristensen> what does logging mean specifically?

19:50 <cransom> you can log the dropped packets from iptables to see if it's iptables doing that.

19:50 <gchristensen> aye, so I think I've done that

19:51 <cransom> i'm having troube parsing the 'except where both must be true for the data to be skipped'

19:51 <gchristensen> ah

19:52 <gchristensen> it seems that if I do "not port 22 and not host x.x.x.x" that if it is port 22 traffic, it is dropped

19:52 <gchristensen> if it is traffic to my host, it is dropped

19:53 <cransom> you can add in src and dst as well to both of those to filter more accurately.

19:54 <cransom> like, not dst (maybe dest?) host my.ip and not dst port 22 that would filter just the ssh to your host.

22:55 <clever> gchristensen: it might be parsing your expr as "not (port 22 and not host x.x.x.x)"

22:58 <clever> gchristensen: and it may or may not help to try `-d`, tcpdump -d "not port 22 and not host 1.2.3.4"

22:58 <gchristensen> hmmm cool

22:59 <clever> (001) jeq #0x86dd jt 2 jf 10

22:59 <clever> jumptrue, jumpfalse

23:00 <clever> (000) ldh [12]

23:00 <clever> its testing if byte 12 is 86dd, but in my wiresharkl i see an 0800 at roughly that offset

23:00 <clever> (010) jeq #0x800 jt 11 jf 26

23:00 <clever> and when false, it tests for that next

23:01 <clever> and 0x800 means its ipv4

23:02 <clever> (011) ldb [23]

23:02 <clever> (013) jeq #0x6 jt 15 jf 14

23:02 <clever> (012) jeq #0x84 jt 15 jf 13

23:02 <clever> offset 23 is then the protocol within the IP packet (0x6, in my case, tcp)

23:03 <clever> but the filter will also accept 0x84 (unknown) and 0x11 (udp)

23:04 <clever> (015) ldh [20]

23:04 <clever> (016) jset #0x1fff jt 22 jf 17

23:05 <clever> gchristensen: then it tests the flags field in the tcp header, which is set to 0x4000, and i start to get lost

23:05 <clever> (022) ld [26]

23:05 <clever> (023) jeq #0x1020304 jt 32 jf 24

23:05 <clever> gchristensen: and here, its checking the src ip against 1.2.3.4

23:07 <clever> i can see 1.2.3.4 appearing 4 times, for the tcp src/dst, and udp src/dst

23:09 <gchristensen> :o

23:13 <clever> each has its own offset, you didnt say which to match against, and the BPF syntax is too dumb to "just check the ip"

23:13 <clever> so tcpdump compiles it into 4 seperate checks

23:17 <gchristensen> :o

23:17 <gchristensen> my god

23:19 <clever> gchristensen: and if your feeling nuts, i think you can define your own BPF script!!

23:19 <gchristensen> nooope