TCPFlag

From Etheus

This project enables the creation of TCP/IP connections in both directions through a packet filter Firewalls. It should be considered as a very crude hack that works on some simple firewalls. This software assumes that it is possible to access machines on both sides of the firewall, i.e. It cannot be used as a firewall cracking tool! It can be thought of as a type of tunnel between two hosts that have a firewall between them.

Contents 1 TCPFLAG 2 Background 2.1 Internet Firewalling 2.2 Types of Firewall 2.3 TCP/IP 2.4 TCP Handshake 2.5 Packet Filter Logic 3 Installing 3.1 Compiling and Installing the Kernel Module 3.2 Compiling and Installing the Library 4 Using TCPFLAG 4.1 Firewall hopping 4.2 At the Other End 5 Caveats 6 Download 7 FAQ 8 Links 9 Enjoy! 10 Contacts

TCPFLAG

TCPFlag is a Kernel Module and IPTables library for the Linux 2.4 kernel that can be used to substitute any flag combination with any other flag combination. It provides a new IPTables target called TCPFLAG which does the work of setting and clearing the status flags in the TCP header. It is usually used with a flag based rule to identify packets with a certain TCP flag combination, before modifying the TCP flags.

Background

Internet Firewalling

The Internet today is swamped with viruses worms and Trojans which almost guarantee that an un-patched computer will be infected within a matter of minutes of coming on line. A "catch 22" situation arises when a reinstall of windows is required whereby an Internet connection is required in order to download the latest security updates. In order to reduce the spread of worms some Internet Service Providers are using Firewalling techniques to block access to computers using their service from outside. Unfortunately this strategy has side effects in that it can also block legitimate data connections. Some network administrators apply a blanket block to all inbound traffic which makes it impossible to run Internet servers. Firewalling is never 100% effective and can often cause more damage than good by causing inconvenience to legitimate users, and causing complacency among users about software updates. This project came about because one of my computers was connected to a network behind a firewall. I needed a method to make a connection to the computer from outside the network. Connections from outside the network to my computer were blocked by a packet filter Firewall. TCPFlag is designed to tunnel through the Firewall to a known computer on the inside.

Types of Firewall

The four common types of Firewall are:

• Packet Filter - Packets filtered based on source/dest addresses, port numbers and state flags.
  Low overheads, simple to implement, reasonably effective on Internet today
• Circuit Level Gateway - Connections tracked and filtered and forwarded based on direction and type.
  Includes NAT Requires all connections to be actively monitored, Very effective
• Application Level Gateway - Connections monitored and forwarded based on content.
  Usually requires a dedicated server for each protocol e.g. HTTP proxy
• Stateful Multilayer Inspection Firewall - A combination of the above methods.
  Complicated to set up, considerable overheads on large networks

The most common type of non-NAT firewall in use today is the Packet Filter due to the low overheads on large networks. These are often configured to block data on specific ports or to certain hosts. Although this type of firewall has low overheads, it is systematically flawed due to its stateless nature. If an ISP wishes to block all access to a specific TCP port range, it is not advisable to drop/forward packet based on the destination port and address. This is because TCP is a symmetrical protocol which could be thought of as consisting of two separate connections, one in each direction. Performing this sort of filtering would also block the return half of some legitimate connections that have originated from inside the network.

TCP/IP

Transmission Control Protocol / Internet Protocol An IP network allows communication in the form of packets of data which are sent from one computer to another. Computers are assigned IP addresses and no two computers on an IP network should have the same address. IP networks are very much like a postal service where packets are not guaranteed to reach their destination and they can arrive in a different order to what they were sent. IP packets have a simple header which essentially states the source and destination address of the packet.

IP alone is of little use as it is stateless and therefore is difficult to link to multiple applications. TCP is used to provide better application level integration and introduces a notion of ports, connections and sockets. A good analogy of TCP is a telephone switchboard where a telephone number and an extension number are required to dial a remote telephone.

A person must be ready to answer the phone at the receiving end, but once the listener picks up, a bi-directional link is established, and both people can hear each other equally. TCP connections are also bi-directional and symmetrical but information required to open a TCP connection to a host is the IP address, and TCP port number. This is similar to the telephone number and extension in the above analogy. Once the connection is open, data can be sent to the remote computer in a similar way to writing to a file or sending it to a serial port. Unlike IP, data is guaranteed to arrive in the correct order and the program does not have to be concerned with corruption to data. TCP uses IP to get the data from one place to another, however since IP is not reliable, the TCP layer has the job of requesting for lost IP packets to be resent, putting them in the correct order and delivering them to the application. It should also ensure outgoing packets are sent out at the optimum rate for the network conditions. When the TCP layer inserts data into the body of an IP packet, it must also include TCP specific information such as source and destination ports, sequence numbers and checksums. This is inserted before the content of the packet, and is known as the TCP header. The TCP header includes a Flags byte which is essentially used to indicate the status of the connection. Once a TCP connection has been made, it is symmetrical and information can be sent in both directions over the link. In order to form a connection, one computer must be listening and another computer must make an outgoing connection. The operating system's TCP layer will then perform the handshake and bring up the TCP connection between the two hosts. When opening a socket for listening, a port number must be specified to the operating systems TCP layer. The TCP layer should maintain a list which maps port numbers to the processes which are listening and will only allow one listener a particular port. This ensures that data for a particular service e.g. HTTP (port 80) is handled by the correct server process for example, The Apache HTTP Server. If A program wishes to make an outbound connection, it must specify a destination IP address and port number. The majority of application level protocols used on the Internet such as HTTP, TELNET, SMTP, POP3 make use of a Client - Server model. This is in a many-to-one relationship where there can be many clients connected to one server. Server must always be in a listening state, ready to accept connections which are initiated by clients.

TCP Handshake

The TCP handshake which takes place during the initiation process uses the status flag byte in the TCP header. The states of the bits within this byte represent the flag states, so there are 8 possible TCP Flags, of which the 6 commonly used ones are:

• SYN - New connection
• ACK - Acknowledging data
• FIN - Close connection
• RST - Drop connection
• PSH - Deliver data to application (don't buffer)
• URG - Urgent data

With the server listening, the client's TCP layer is first instructed by an application to make a connection to the server. The TCP layer then prepares a packet containing just the header, no data. This packet has the destination port set as specified by the application, and the SYN flag will be set in the header. The SYN flag indicates the start a new connection, and the sequence counters used to detect dropped or out of order packets should be SYNchronised. This TCP packet is then inserted into an IP packet where the destination address is that of the server, as specified by the application. Once the packet reaches the server, it will be passed to the TCP layer where it will identify the start of a new connection, and will verify that an application is listening on the port specified in the header. Should the checks succeed, the server's TCP layer will ACKnowledge by sending out a similar packet but with the ACK flag set instead. One half of the connection has been established from client to server, so the server must now open a connection to the client. The same process applies, but it special attention must be paid to the port number the server will use to connect to the client. When the TCP layer on the client formed the initial SYN packet, it automatically allocated an unused port for the return connection. The allocation method used usually follows some sequential rule, but could be random. No assumptions must be made about the port ranges for return connections. The TCP header as the source port field is used to store the port number for the return connection, and is used by the server to open the return connection. The return connection can be opened using anther SYN packet, to which the client would respond with an ACK. Once this process is complete, the TCP connection is established, and data can be sent between the applications on the two hosts. In general the aforementioned handshake process is shortened. Rather than having the server respond with two separate packets, an ACK and a SYN, the server will respond a single packet with both the SYN and ACK flags set (a SYNACK packet). To summarise; the client sends a SYN packet to the listening server. The server replies with a SYNACK packet and the client replies to the server with an ACK packet.

Packet Filter Logic

Filtering all data entering a network by dropping packets based on a port range is flawed because this will also drop data on outbound connections where the client happens to have generated a return port number within the filtered range. The TCP flags therefore also must be inspected in order to properly filter connections. Most Firewalls selectively block inbound connections to network segment, so they should drop packets based on the destination IP address / port number and that have ONLY the SYN flag set. Since only the first packet of a connection will have the SYN flag set alone, the firewall will prevent connections from being created. All other packets are then allowed to get through. Principle of operation The Firewall rule described here, is the standard rule used by almost all packet filter firewalls. It can clearly be seen that the firewall blocks packets based on the TCP Flags and port numbers. Disguising SYN packets by using other flag combinations often allows the firewall to be breached.

Installing

The installation process requires two components to be compiled, a kernel driver/module and a library. In order to compile the kernel module, you must have the Linux 2.4 kernel source. In order to compile the library, you must have the IPTables source. First of all, before following the instructions below make sure you can compile and install both the kernel source and the IPTables source. It is outside the scope of this project to provide help if you get stuck at this point. Please refer to the relevant documentation. Also Download and extract the source code for TCPFLAG to a location of your choice.

Compiling and Installing the Kernel Module

It is time to get your fingers dirty by editing some files.

• Change directory to the kernel source root directory
• Copy ipt_TCPFLAG.c from the TCPFLAG source directory to net/ipv4/netfilter/ in the kernel source
• Copy ipt_TCPFLAG.h from the TCPFLAG source directory to include/linux/netfilter_ipv4/ in the kernel source
• Edit net/ipv4/netfilter/Makefile in the kernel source
• Find the following sequence of lines. (somewhere around line 90)

# targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_MIRROR) += ipt_MIRROR.o
obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o

• Insert somewhere into the list of targets the following line

obj-$(CONFIG_IP_NF_TARGET_TCPFLAG) += ipt_TCPFLAG.o

• Save the file.
• Edit net/ipv4/netfilter/Config.in in the kernel source
• Find the following sequence of lines. (somewhere around line 100)

 dep_tristate ' TOS target support' CONFIG_IP_NF_TARGET_TOS $CONFIG_IP_NF_MANGLE
 dep_tristate ' ECN target support' CONFIG_IP_NF_TARGET_ECN $CONFIG_IP_NF_MANGLE
 dep_tristate ' DSCP target support' CONFIG_IP_NF_TARGET_DSCP $CONFIG_IP_NF_MANGLE
 dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE

• Insert somewhere into the list of targets the following line

 dep_tristate ' TCPFLAG target support' CONFIG_IP_NF_TARGET_TCPFLAG $CONFIG_IP_NF_MANGLE

• Save the file and quit the editor.
• Run make menuconfig or whatever tool you prefer to configure the kernel.
• You should now see TCPFLAG as a new target this can be compiled as a module or compiled into the kernel. The choice is yours.
• Compile the kernel / modules install them and reboot if necessary.
• If you compiled TCPFLAG as a module check that it installs OK with modprobe/insmod.

Compiling and Installing the Library

Note: This assumes you have already successfully compiled the TCPFLAG kernel driver using the process above.

• Change directory to the IPTables source.
• Copy libipt_TCPFLAG.c from the TCPFLAG source directory to the extensions directory in the IPTables source.
• Edit extensions/Makefile
• Add the word TCPFLAG to the line containing the list of extensions to be compiled.
• Save the file and quit the editor.
• Compile and install iptables.
• Check that you now have the TCPFLAG mangle target available from IPTables by using the following command.

IPTables -j TCPFLAG -h

You should see some information related to TCPFLAG in the usage message, if not check that libipt_TCPFLAG.so is present on your system. e.g. in /lib/iptables

Using TCPFLAG

TCPFLAG is a target which can be used on the mangle table. It is intended to be used in the PREROUTING and POSTROUTING chains and modifies TCP Flags based on a flag mask and a complement. The mask specifies which flags are to be modified and the compliment specifies which of the masked flags should be turned on. For example, a mask of SYN,RST and a compliment of RST will force the SYN flag to be off and the RST flag to be on.

Firewall hopping

In this scenario, Computer 'A' is on the outside of a Firewalled network, and Computer 'B' is on the inside.
IP address of 'A' = 122.122.122.122
IP address of 'B' = 123.123.123.123
Since RST packets seem to get through packet filter firewalls reasonably reliably, the following command is issued on computer 'A'

iptables --table mangle --append POSTROUTING --destination 123.123.123.123 --protocol tcp --tcp-flags FIN,SYN,RST,ACK SYN --jump TCPFLAG --mask SYN,RST --comp RST

This command adds a rule to the mangle table, POSTROUTING chain (for sent packets). It matches packets with a destination address of 123.123.123.123 (Computer 'B') AND that also have the SYN flag set and all other flags clear. If a packet matches this rule it will 'jump' to the TCPFLAG target which has a mask and compliment such to force the outgoing packet to have only the RST flag set. This rule effectively substitutes SYN packets for RST packets which should break through the Firewall and reach Computer 'B'.

At the Other End

Now the RST packets have reached Computer 'B' they must be converted back to SYN packets allowing the TCP layer to identify the start of a connection. This can be done with the following command on Computer 'B'

iptables --table mangle --append PREROUTING --source 122.122.122.122 --protocol tcp --tcp-flags FIN,SYN,RST,ACK RST --jump TCPFLAG --mask SYN,RST --comp SYN

This adds a rule to the mangle table, PREROUTING chain (for received packets). It matches packets with a source address of 122.122.122.122 (Computer 'A') AND that also have the RST flag set and all other flags clear. If a packet matches this rule it will 'jump' to the TCPFLAG target which has a mask and compliment such to force the incoming packet to have only the SYN flag set. This rule effectively substitutes RST packets SYN packets, hence hiding the presence of the firewall.

Caveats

Connection tracking is not handled. This causes netstat to not report the connection properly. This also means that routers along the way will also not see the connection, even though it is there! TCPFLAG allows you to Completely break the tcp protocol conventions and so should be avoided if you are aiming for standards compliance.

Download

To download the TCPFLAG source code, use the following links:

• ipt_TCPFLAG-V1.00.tar.gz Archive containing kernel and library source code.

FAQ

Why have you not submitted this to IPTables?
There are two reasons, firstly I don't intend to maintain it. Second, TCPFLAG directly breaks TCP conventions and does not have many legitimate uses.
Do you have any pre-compiled binaries?
Not at the moment, sorry. I don't use TCPFLAG much these days because the firewall has now gone and I also try use more conventional tunnelling techniques where possible.
Is there a windows version?
Unfortunately not, but the code is released under the GPL, so you are free to make a windows version if it is possible.
Does it work in the 2.6 Kernel?
I did briefly try, but encountered problems. Feel free to port it!
How stable is it?
I have used it for a year or so without any problems.
I have a Linux box as a NAT router. Can I use it to make my entire network see a remote firewalled machine?
Yes, just use TCPFLAG on your router. Once it is possible to connect from the router to the firewalled machine, it should also be possible to do this from any machine on your network.

Links

• http://www.kernel.org Linux Kernel Source
• http://www.netfilter.org The Netfilter Project
• http://www.linuxarkivet.se/mlists/netfilter-devel/0306/msg00288.html The original post I made to the netfilter developers mailing list

Enjoy!

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Contacts

Project author: Craig Shelley craig@microtron.org.uk