[SLUG] route traffic through multiple interfaces
Hi list, Suppose I have two NICs on one host, NIC A and NIC B. Is it possible to get all traffic to use A, and then route them through B, and finally to outside? without the aid of iptables or anything similar, e.g. just changing the routing table? Suppose ip forwarding works. Just out of curiosity, does anyone know how iPhone restricts VOIP traffic over 3G technically? Suppose one can make a tunnel, e.g. IPSec, PPTP (which iPhone has native support), to a VPN endpoint, e.g. home computer through 3G. Is it possible to then run a VOIP app inside the tunnel? Thanks, Chris -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] route traffic through multiple interfaces
On Thu, Sep 04, 2008 at 08:50:39PM +1000, Chris Zhang wrote: Hi list, Suppose I have two NICs on one host, NIC A and NIC B. Is it possible to get all traffic to use A, and then route them through B, and finally to outside? without the aid of iptables or anything similar, e.g. just changing the routing table? Suppose ip forwarding works. not sure what you mean, but will take a stab if you had A) eth0 192.168.1.1/24 gw 192.168.1.254 B) eth1 192.168.2.1/24 gw 192.168.2.254 you want something like ip r a default via 192.168.2.254 src 192.168.1.1 so this say's all applications that attempt to open a socket without binding to and address will get 192.168.1.1 (NIC A's address), but will route out NIC B not sure if it will work, might take a bit more work Just out of curiosity, does anyone know how iPhone restricts VOIP traffic over 3G technically? Suppose one can make a tunnel, e.g. IPSec, PPTP (which iPhone has native support), to a VPN endpoint, e.g. home computer through 3G. Is it possible to then run a VOIP app inside the tunnel? Thanks, Chris -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- This foreign policy stuff is a little frustrating. - George W. Bush 04/23/2002 as quoted by the New York Daily News signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] RUXCON 2008 Final Call For Papers
RUXCON 2008 FINAL CALL FOR PAPERS Ruxcon would like to announce the final call for papers for the fifth annual Ruxcon conference. This year the conference will take place over the weekend of 29th to the 30th of November. As with previous years, Ruxcon will be held at the University of Technology, Sydney, Australia. The deadline for submissions is the 15th of November. * What is Ruxcon? Ruxcon strives to be Australia's most technical and interesting computer security conference. We're back for the fifth year and intend on bringing you another high quality conference. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst expanding their knowledge of security. Live presentations and activities will cover a full range of defensive and offensive security topics, varying from unpublished research to required reading for the public security community. For more information, please visit http://www.ruxcon.org.au * Presentation Information Presentations are set to run for 50 minutes, and will be of a formal nature, with slides and a speech. * Presentation Submissions Ruxcon would like to invite people who are interested in security to submit a presentation. Topics of interest include, but are not limited to: o Code analysis o Exploitation techniques o Network scanning and analysis o Cryptography o Malware Analysis o Reverse engineering o Forensics and Anti-forensics o Social engineering o Web application security o Database security o Legal aspects of computer security and surrounding issues o Law enforcement activities o Telecommunications security (mobile, GSM, VOIP, etc.) Submissions should thoroughly outline your desired presentation subject. Accompanying your submission should be the slides you intend to use or a detailed paper explaining your subject. If you have any enquiries about submissions, or would like to make a submission, please send an e-mail to presentations @ ruxcon dot org dot au The deadline for submissions is the 15th of November. If approved we will additionally require: i. A brief personal biography (between 2-5 paragraphs in length), including: skill set, experience, and credentials. ii. A description on your presentation or workshop (between 2-5 paragraphs in length). * Contact Details Presentation Submissions: presentations @ ruxcon dot org dot au General Enquiries: staff @ ruxcon dot org dot au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] route traffic through multiple interfaces
On Thu, Sep 4, 2008 at 10:49 PM, Alex Samad [EMAIL PROTECTED] wrote: On Thu, Sep 04, 2008 at 08:50:39PM +1000, Chris Zhang wrote: Hi list, Suppose I have two NICs on one host, NIC A and NIC B. Is it possible to get all traffic to use A, and then route them through B, and finally to outside? without the aid of iptables or anything similar, e.g. just changing the routing table? Suppose ip forwarding works. not sure what you mean, but will take a stab if you had A) eth0 192.168.1.1/24 gw 192.168.1.254 B) eth1 192.168.2.1/24 gw 192.168.2.254 you want something like ip r a default via 192.168.2.254 src 192.168.1.1 I did the aforementioned as a test, I had to remove the current gateway before I ran this otherwise it complains about an existent route. After this is done, I tried to access www.google.com, with 'links www.google.com' netstat -tapn | grep 80 tcp0 1 192.168.1.1:45154 74.125.19.99:80 SYN_SENT2132/links 'route -n' gives identical information as before. It doesn't look like traffic is going through 192.168.2.1 first. I don't have 192.168.1.254 as the gateway here. But it shouldn't matter, the idea is not to pass traffic to it but pass them to 192.168.2.1 instead. This is one step closer, at least it is using 192.168.1.1 address. Thanks Alex. so this say's all applications that attempt to open a socket without binding to and address will get 192.168.1.1 (NIC A's address), but will route out NIC B not sure if it will work, might take a bit more work Just out of curiosity, does anyone know how iPhone restricts VOIP traffic over 3G technically? Suppose one can make a tunnel, e.g. IPSec, PPTP (which iPhone has native support), to a VPN endpoint, e.g. home computer through 3G. Is it possible to then run a VOIP app inside the tunnel? Thanks, Chris -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- This foreign policy stuff is a little frustrating. - George W. Bush 04/23/2002 as quoted by the New York Daily News -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAki/2UAACgkQkZz88chpJ2PEUQCfQghSOO2MtJPLOciEDdySceud tA4AmwThccwoS6RHR6XrPU2TKsSmCuKO =XaLC -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] route traffic through multiple interfaces
Chris Zhang [EMAIL PROTECTED] writes: As Alex asked, your problem description is unclear. Since I have some different questions to what he asked, and you answered, I include them: Suppose I have two NICs on one host, NIC A and NIC B. Is it possible to get all traffic to use A, When you say to use A, what specifically do you mean: * to use the IP address that you assigned to NIC A[1] * to leave the computer and hit the wire out NIC A * something else? and then route them through B, My best guess here is that you expect the packet to: 1. Exit to the wire via NIC A 2. Return to the host via NIC B 3. Exit to the outside world via some unmentioned, third, interface Is that correct? and finally to outside? without the aid of iptables or anything similar, e.g. just changing the routing table? Suppose ip forwarding works. Why the restriction? Is this, specifically, because you want to achieve some VoIP and tunnelling related goal with the iPhone, and it only provides a standard routing stack? I ask, because the Linux IP stack is extremely flexible and can do a wide range of things that a more traditional BSD stack, well, can't. Anyway, assuming that my best guess is, in fact, correct -- which I think it probably is from the iPhone bit below -- then, no. What you are asking is impossible without the addition of NAT, packet marking, or some other method to identify the packet beyond what you get in the standard facility. The routing table doesn't include a lot of if for an individual packet, and retains no state -- you can't say if this is the second time I have seen ... Just out of curiosity, does anyone know how iPhone restricts VOIP traffic over 3G technically? It is done for profit, and by the request of customers. (The real customers, the telecoms companies, not you and the other end users who hold the physical device...) Suppose one can make a tunnel, e.g. IPSec, PPTP (which iPhone has native support), to a VPN endpoint, e.g. home computer through 3G. Is it possible to then run a VOIP app inside the tunnel? Not if Apple and their customers have any say in the matter, no. Not reliably, in the long term, because it some something other than what Apple have approved of your doing with their iPhone.[2] Regards, Daniel Footnotes: [1] ...which, under Linux, is actually a property of the computer, not the network card, and is equally valid as an outbound address for any interface, technically speaking. [2] Since you don't actually have any particular control of the device I wouldn't really call you the owner of it. You may have paid for it, but Apple still run the show... -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] route traffic through multiple interfaces
Chris Zhang [EMAIL PROTECTED] writes: On Fri, Sep 5, 2008 at 11:16 AM, Daniel Pittman [EMAIL PROTECTED] wrote: Chris Zhang [EMAIL PROTECTED] writes: You were correct in guessing what I was after. I am trying to get VOIP working over 3G. My understanding is that there are at least two places this can be prevented. Firstly, the app(e.g. Truphone) won't let you connect unless you have a working WIFI connection. This is why I was asking for NATting possibility(I didn't describe it properly). - Assign wifi interface with an IP (192.168.1.1/24) and forward all traffic to 3G interface with a public IP. Since 'ipfw' won't work the way it does in a normal BSD, the only thing I thought would be changing the routing table, which you pointed out not possible. I wouldn't expect so, but I don't know the BSD / Apple IP stack nearly as well as the Linux stack, so it /may/ be able to implement suitable policy routing or NAT for you... I wouldn't hold my breath though. Like buying a games console, Apple products are no user serviceable parts systems: use it their way, or face a life of hoping that you keep ahead of their efforts to stop you. The other place where VOIP might get blocked is from the ISP, e.g. filtering on 3G network. My thought was to setup a tunnel and encrypt VOIP inside that tunnel. It should in theory bypass ISP restriction shouldn't it? Yes, assuming that they will pass the tunnelled VPN traffic. It is worth noting that you are probably going to be violating your contractual agreement with the ISP at this point, and that they *will* kick you off the contract -- or worse -- for this. Like the device, if you really want to run VoIP from the phone it probably pays to go ahead and find a contract that meets your needs up front than to try an end-run around the ISP / vendor. Alternatively, I am not sure if VOIP works over a socks proxy. This requires iPhone being a socks client, which it doesn't support, nor have I found any thrid party apps that can do this. Of course not -- Apple have already pulled at least one application from their store that made the device act as a wireless to 3G router, and have a policy that this will *not* happen. A SOCKS proxy would face the same fate: not on the approved list, so no ability to run it. Look forward to breaking the security on the phone, then watching the anti-piracy parts of Apple get nastier to what you do, if you really intend to use this. Last resort would prob. be ssh tunnelling. but I doubt this would work since the ports VOIP uses are in 10,000 ~ 20,000 range? That depends on your client, but you really do *NOT* want to push UDP over TCP, which ssh tunnelling is. [...] This is the idea, except for the packets won't go out to wire. Traffic = NIC A's IP = NIC B's IP = NIC B's gateway. This is, as you pointed out, NATing, I am convinced it is not possible without iptables or such. Correct: this is not something that a regular routing table can do. There /might/ be an equivalent of the fast NAT feature of the Linux routing table available to you, but I don't hold much hope... Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
