Comments (22)
What is the problem with 3 way handshake enabled? Here is a simple program where you can test the connectivity with fixed TCP flags: https://gist.github.com/Chion82/699ae432a27507242ea788df324f4e47
from kcptun-raw.
Firewall block all packets with ACK flags. Only packets SYN flag are allowed.
Can you modify you great tool ? Is this possible ?
from kcptun-raw.
It is totally possible and actually relayRawSocket, by which kcptun-raw is inspired, is doing what you want by sending TCP packets with only SYN flags.
However:
- Most ISPs block SYN flooding. Continuous traffic with SYN flag set is very likely to be recognized as DOS attack and will be dropped soon. Even other abnormal TCP options affect the stability of the tunnel, depending on what ISP you are using. See more here.
- Which firewall blocks ACKs? You mean the GFW jamming TCP traffics? Please use the tools above to make a complete test and make sure this is a plausible idea. I will add this feature soon once more convincing test results are provided.
from kcptun-raw.
I tried to run it relayRawSocket on Ubuntu 16.04. But it does not work on Ubuntu 16.04.
(client not send any packets to server)
Your program kcptun-raw runs well for me on Ubuntu 16.04 .
But your program uses other flags -
client to server -> SYN
server to client <- SYN+ACK
client to server -> ACK
server to client <- PSH+ACK
client to server -> PSH+ACK
And my corporate firewall drop this packets -
(tested on you tools and Hping3)
client to server -> SYN ok
server to client <- SYN+ACK ok
client to server -> ACK drop(flag RST)
server to client <- PSH+ACK drop(flag RST)
client to server -> PSH+ACK drop(flag RST)
It would be very cool if you teach your program to work only on the SYN flag.
Yes, I understand that some firewalls are struggling with syn flood. But not mine
from kcptun-raw.
I've added the SYN-only feature to syn-only branch with additional --syn-only
option. Make some tests and see if it works.
from kcptun-raw.
I tested with this option
1.
The client sends these flags to the server
SYN
PSH+ACK
2.
the server does not respond any packets
see image
server Ubuntu 16.04x64
client Ubuntu 16.04x64
client wireshark
I tried to change different ports, but nothing helps.
Have you tested this option yourself? Does it work for you?
from kcptun-raw.
@zhorakuz you should enable --syn-only
BOTH on client and server side
from kcptun-raw.
Yes. See image
from kcptun-raw.
The client should have printed Use SYN-only mode
on the screen but I don't see any. Did you do a fresh build by make clean
?
from kcptun-raw.
The client should have printed Use SYN-only mode on the screen but I don't see any.
yes
Did you do a fresh build by make clean ?
How to do it?
./autogen.sh
./configure
make clean
make
?
from kcptun-raw.
@zhorakuz Just rm -rf
the entire directory and git clone && git checkout
to make sure you have the latest syn-only
branch. I don't wanna repeat git basics anymore here.
If you look into the commit you'll see the --syn-only
option really exists and it actually works on my local environment.
from kcptun-raw.
Ok. Now client printed Use SYN-only mode and send to server SYN packets.
But
The server does not respond any packets to client.
Test please in you machine this option
from kcptun-raw.
The server does not respond any packets to client.
Your server DOES respond once it receives packets from the client. Please use tcpdump
on the server to verify that for yourself. Possible causes of connection failure would be either:
- The server does not receive any SYN packets with data payload from the client. Blocked by firewall.
- SYN packets from the server without ACK flagged are blocked, so that even though the server tries to send out the packet, the client receives nothing. Many firewalls seem to be blocking unestablished
TCP connections in SINGLE way, which means in most cases only SYN+ACK is allowed from server to client to pass through after the first SYN. This is actually why simulating 3-way-handshake is necessery as I have told you from the beginning.
I have already tested this feature dozens of times on my virtual machines with bridged network and it works as expected.
from kcptun-raw.
Now I checked the connection through the local network. Working.
Connection through the internet network. Not working.
Can the logic of work between the client and the server be broken?
See the screenshot.
Server 192.168.10.106
Client 192.168.10.101
The client sends the SYN to the server.
The server resets the connection, although SYN+ACK must respond.
I think this is the problem
from kcptun-raw.
The server resets the connection, although SYN+ACK must respond.
Nope. That's why iptables
rules are required, where we tell the kernel to ignore our user-space TCP stacks and not to send RSTs.
From kcptun-raw README:
on server:
iptables -A INPUT -p tcp --dport SERVER_PORT -j DROP
on client:
iptables -A INPUT -p tcp -s SERVER_IP --sport LISTEN_PORT -j DROP
By adding these iptables
rules no more RST happens.
Another possible cause might be the MTU problem. But this doesn't explain why your client received exactly nothing, even not receiving the initial negotiating packets which are relatively small sized.
client to server -> SYN ok
server to client <- SYN+ACK ok
client to server -> ACK drop(flagRST
)
server to client <- PSH+ACK drop(flagRST
)
client to server -> PSH+ACK drop(flagRST
)
It looks like the problem is not caused by firewall dropping ACKs, but you haven't configure iptables
on both server and client side properly.
from kcptun-raw.
I checked and with customized rules iptables and without customized rules iptables. The result is one. Through the local network works. Through the Internet does not work. If you can test through the Internet - tell me.
I have another question -
I can modify in this code
iph-> saddr = inet_addr (packetinfo-> source_ip); // Spoof the source ip addres
An castom ip address? For example 8.8.8.8.
If I can, how?
from kcptun-raw.
Please use tcpdump
ON THE SERVER to see if the packets are sent out while using wireshark
on the client. Then we can make a diagnosis to see what happens.
I can modify in this code
iph-> saddr = inet_addr (packetinfo-> source_ip); // Spoof the source ip addres
An castom ip address? For example 8.8.8.8.
Yes you can. Modifying src/common.c: int update_src_addr()
does the trick. Just change the code to: remote_addr.sin_addr.s_addr = inet_addr("8.8.8.8");
from kcptun-raw.
After i change remote_addr.sin_addr.s_addr = inet_addr("8.8.8.8");
I see source my ip on tcpdumd and wireshark. Not 8.8.8.8
from kcptun-raw.
update_src_addr()
is for automatically probing an appropriate source address using an external destination IP address, but not actually change the source address to a fixed one. If you are willing to exactly use a specified source address such as 8.8.8.8, modify src/tran_packet.c: int send_packet()
and change the code to:
iph->saddr = inet_addr("8.8.8.8"); //Spoof the source ip address
Do you see packets trying to send out from the server, by using tcpdump
on the server?
from kcptun-raw.
ip is changed and i see
TCP: [Bad CheckSum]
from kcptun-raw.
Oh you should also update:
psh.source_address = inet_addr("8.8.8.8");
from kcptun-raw.
Now checksum ok. But server not send packets to client)
from kcptun-raw.
Related Issues (17)
- Errors at compilation HOT 5
- 在openwrt上无法工作? HOT 9
- 我从腾讯云无法到我的Ramnode HOT 4
- 能不能在connection_info中加入客户端ip区分不同的客户端? HOT 1
- 内核态filter支持 HOT 40
- cpu占用真的没办法减少吗?有点吃力啊感觉。 HOT 9
- 在Windows上使用的可能性 HOT 8
- 请问,iptables的设定是必须的吗?
- 求在Windows流量通过Linux虚拟机连接kcptun-raw的思路
- CPU占用问题(CPU usage issue) HOT 6
- Remote notifies re-init KCP connection on AWS EC2(amazon vps) HOT 28
- 似乎端口被封了 HOT 10
- 一直报Request KCP init HOT 3
- 连接初始化问题 HOT 7
- 与ss不兼容? HOT 1
- 这个项目是 Kcptun 的 C 语言实现吗? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kcptun-raw.