UNI-FIX Computer

Use Sguil’s advanced GUI to monitor and analyze IDS events in a timely manner.

One thing that’s crucial when analyzing your IDS events is to be able to correlate all your audit data from various sources, to determine the exact trigger for the alert and what actions should be taken. This could involve anything from simply querying a database for similar alerts to viewing TCP stream conversations. One tool to help facilitate this is Sguil (http://sguil.sourceforge.net), the Snort GUI for Lamerz. In case you’re wondering, Sguil is pronounced “sgweel” (to rhyme with “squeal”).

Sguil is a graphical analysis console written in Tcl/Tk that brings together the power of such tools as Ethereal (http://www.ethereal.com), TcpFlow (http://www.circlemud.org/~jelson/software/tcpflow/), and Snort’s portscan and TCP stream decoding processors into a single unified application, where it correlates all the data from each of these sources. Sguil uses a client/server model and is made up of three parts: a plug-in for Barnyard (op_guil), a server (sguild), and a client (sguil.tk). Agents installed on each of your NIDS sensors are used to report back information to the Sguil server. The server takes care of collecting and correlating all the data from the sensor agents, and handles information and authentication requests from the GUI clients.

Before you begin, you’ll need to download the Sguil distribution from the project’s web site and unpack it somewhere. This will create a directory that reflects the package and its version number (e.g., sguil-0.3.0).

The first step in setting up Sguil is creating a MySQL database for storing its information. You should also create a user that Sguil can use to access the database:

$ mysql -u root -p
Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 546 to server version: 3.23.55

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> CREATE DATABASE SGUIL;

Query OK, 1 row affected (0.00 sec)

mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON SGUIL.* \

TO sguil IDENTIFIED BY ‘sguilpass’;
Query OK, 0 rows affected (0.06 sec)

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.06 sec)

mysql>

Now you’ll need to create Sguil’s database tables. To do this, locate the create_sguildb.sql file. It should be in the server/sql_scripts subdirectory of the directory that was created when you unpacked the Sguil distribution. You’ll need to feed this as input to the mysql command like this:

$ mysql -u root -p SGUIL < create_sguildb.sql

sguild requires several Tcl packages in order to run. The first is Tclx (http://tclx.sourceforge.net), which is an extensions library for Tcl. The second is mysqltcl (http://www.xdobry.de/mysqltcl/). Both of these can be installed with the standard ./configure && make install routine.

You can verify that they were installed correctly by running the following commands:

$ tcl

tcl>package require Tclx

8.3

tcl>package require mysqltcl

2.40

tcl>

If you want to use SSL to encrypt the traffic between the GUI and the server, you will also need to install tcltls (http://sourceforge.net/projects/tls/). After installing it, you can verify that it was installed correctly by running this command:

$ tcl

tcl>package require tls

1.41

tcl>

Now you’ll need to go about configuring sguild. First, you’ll need to create a directory suitable for holding its configuration files (i.e., /etc/sguild). Then copy sguild.users, sguild.conf, sguild.queries, and autocat.conf to the directory that you created.

For example:

# mkdir /etc/sguild

# cd server

# cp autocat.conf sguild.conf sguild.queries \

sguild.users /etc/sguild

This assumes that you’re in the directory that was created when you unpacked the Sguil distribution. You’ll also want to copy the sguild script to somewhere more permanent, such as /usr/local/sbin or something similar.

Now edit sguild.conf and tell it how to access the database you created. If you used the database commands shown previously to create the database and user for Sguil, you would set these variables to the following values:

set DBNAME SGUIL

set DBPASS sguilpass

set DBHOST localhost

set DBPORT 3389

set DBUSER sguil

In addition, sguild requires access to the Snort rules used on each sensor in order for it to correlate the different pieces. You can tell sguild where to look for these by setting the RULESDIR variable.

For instance, the following line will tell sguild to look for rules in /etc/snort/rules:

set RULESDIR /etc/snort/rules

However, sguild needs to find rules for each sensor that it monitors here, so this is really just the base directory for the rules. When looking up rules for a specific host it will look for them in a directory corresponding to the hostname within the directory that you specified (e.g., zul’s rules would be in /etc/snort/rules/zul).

Optionally, if you want to use SSL to encrypt sguild’s traffic (which you should), you’ll need to create an SSL certificate and key pair [Hack #45] . After you’ve done that, move them to /etc/sguild/certs and make sure they’re named sguild.key and sguild.pem.

Next, you’ll need to add users for accessing sguild from the Sguil GUI. To do this, use a command similar to this:

# sguild -adduser andrew

Please enter a passwd for andrew:

Retype passwd:

User ‘andrew’ added successfully

You can test out the server at this point by connecting to it with the GUI client. All you need to do is edit the sguil.conf file and change the SERVERHOST variable to point to the machine on which sguild is installed. In addition, if you want to use SSL, you’ll need to change the following variables to values similar to these:

set OPENSSL 1

set TLS_PATH /usr/lib/tls1.4/libtls1.4.so

Now test out the client and server by running sguil.tk. After a moment you should see a login window like Figure 7-3.
Figure 7-3. The Sguil login dialog

Enter in the information that you used when you created the user and click OK. After you’ve done that, you should see a dialog like Figure 7-4.
Figure 7-4. Sguil’s no available sensors dialog

Since you won’t have any sensors to monitor yet, click Exit.

To set up a Sguil sensor, you’ll need to patch your Snort source code. You can find the patches that you’ll need in the sensor/snort_mods/2_0/ subdirectory of the Sguil source distribution. Now change to the directory that contains the Snort source code, go to the src/preprocessors subdirectory, and patch spp_portscan.c and spp_stream4.c.

For example:

$ cd ~/snort-2.0.5/src/preprocessors

$ patch spp_portscan.c < \

~/sguil0.3.0/sensor/snort_mods/2_0/spp_portscan_sguil.patch
patching file spp_portscan.c

$ patch spp_stream4.c < \

~/sguil-0.3.0/sensor/snort_mods/2_0/spp_stream4_sguil.patch
patching file spp_stream4.c

Hunk #9 succeeded at 988 (offset -5 lines).

Hunk #11 succeeded at 3324 (offset -5 lines).

Hunk #13 succeeded at 3674 (offset -5 lines).

Then compile Snort just as you normally would [Hack #82] . After you’ve done that, edit your snort.conf and enable the portscan and stream4 preprocessors:

preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscans gw-ext0

preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats db \

/var/log/snort/ssn_logs

The first line enables the portscan preprocessor and tells it to trigger a portscan alert if connections to four different ports within a three-second interval have been received from the same host. In addition, the portscan preprocessor will keep its logs in /var/log/snort/portscans. The last field on the line is the name of the sensor. The second line enables the stream4 preprocessor, directs it to detect stealth portscans, and to not alert on overlapping TCP datagrams. It also tells the stream4 preprocessor to keep its logs in /var/log/snort/ssn_logs.

You’ll also need to set up Snort to use its unified output format, so that you can use Barnyard to handle logging Snort’s alert and log events:

output alert_unified: filename snort.alert, limit 128

output log_unified: filnemae snort.log, limit 128

Next, create a crontab entry for the log_packets.sh script that comes with Sguil. This script starts an instance of Snort solely to log packets. This crontab line will have the script restart the Snort logging instance every hour:

00 0-23/1 * * * /usr/local/bin/log_packets.sh restart

You should also edit the variables at the beginning of the script and change them to suit your needs. These variables tell the script where to find the Snort binary (SNORT_PATH), where to have Snort log packets to (LOG_DIR), what interface to sniff on (INTERFACE), and what command-line options to use (OPTIONS). Pay special attention to the OPTIONS variable. Here is where you can tell snort what user and group to run as; the default won’t work unless you’ve created a sguil user and group. In addition, you can specify what traffic to not log by setting the FILTER variable to a BPF (i.e., tcpdump-style) filter.

Next, you’ll need to compile and install Barnyard [Hack #92], but only run the configure step for now. After that, patch in the op_sguil output plug-in provided by Sguil. To do this, copy sensor/barnyard_mods/op_sguil.* to the output-plugins directory in the Barnyard source tree.

For instance:

$ cd ~/barnyard-0.1.0/src/output-plugins

$ cp ~/sguil-0.3.0/sensor/barnyard_mods/op_sguil.* .

Now edit the Makefile in that directory to add op_sguil.c and op_sguil.h to the libop_a_SOURCES variable, and add op_sguil.o to the libop_a_OBJECTS variable.

After you’ve done that, edit op_plugbase.c and look for a line that says:

#include “op_acid_db.h”

Add another line below it so that it becomes:

#include “op_acid_db.h”

#include “op_sguil.h”

Now look for another line like this:

AcidDbOpInit( );

and add another line below it so that it looks like this:

AcidDbOpInit( );

SguilOpInit( );

Now run make from the current directory; when that completes, change to the top-level directory of the source distribution and run make install. To configure Barnyard to use the Sguil output plug-in, add a line similar to this one to your barnyard.conf:

output sguil: mysql, sensor_id 0, database SGUIL, server localhost, user sguil,

sguilpass, sguild_host localhost, sguild_port 7736

Now you can start Barnyard as you would normally. After you do that, you’ll need to set up Sguil’s sensor agent script, sensor_agent.tcl, which can be found in the sensor directory of the source distribution. Before running the script, you’ll need to edit several variables to fit your situation:

set SERVER_HOST localhost

set SERVER_PORT 7736

set HOSTNAME gw-ext0

set PORTSCAN_DIR /var/log/snort/portscans

set SSN_DIR /var/log/snort/ssn_logs

set WATCH_DIR /var/log/snort

The PORTSCAN_DIR and SSN_DIR variables should be set to where the Snort portscan and stream4 preprocessors log to.

Now all you need to do is set up xscriptd on the same system that you installed sguild on. This script is responsible for collecting the packet dumps from each sensor, pulling out the requested information, and then sending it back to the GUI client. Before running it, you’ll need to edit some variables in this script too:

set LOCALSENSOR 1

set LOCAL_LOG_DIR /var/log/snort/archive

set REMOTE_LOG_DIR /var/log/snort/dailylogs

If you’re running xscriptd on the same host as the sensor, set LOCALSENSOR to 1. Otherwise, set it to 0. The LOCAL_LOG_DIR variable sets where xscriptd will archive the data it receives when it queries the sensor, and REMOTE_LOG_DIR sets where xscriptd will look on the remote host for the packet dumps. If you’re installing xscriptd on a host other than the sensor agent, you’ll need to set up SSH client keys [Hack #73] in order for it to retrieve data from the sensors. You’ll also need to install tcpflow (http://www.circlemud.org/~jelson/software/tcpflow/) and p0f (http://www.stearns.org/p0f/) on the host that you install xscriptd on.

Now that everything’s set up, you can start sguild and xscriptd with commands similar to these:

# sguild -O /usr/lib/tls1.4/libtls1.4.so

# xscriptd -O /usr/lib/tls1.4/libtls1.4.so

If you’re not using SSL, you should omit the -O /usr/lib/tls1.4/libtls1.4.so portions of the commands. Otherwise, you should make sure that the argument to -O points to the location of libtls on your system.

Getting Sguil running isn’t trivial, but it is well worth the effort. Once everything is running, you will have a very good overview of precisely what is happening on your network. Sguil presents data from a bunch of sources simultaneously, giving you a good view of the big picture that is sometimes impossible to see when simply looking at your NIDS logs.R

Generate a vtund.conf on the fly to match changing network conditions.

If you’ve just come from [Hack #78], then the following script will generate a working vtund.conf for the client side automatically.

If you haven’t read the previous hack (or if you’ve never used VTun), then go back and read it before attempting to grok this bit of Perl. Essentially, it attempts to take the guesswork out of changing the routing table around on the client side by auto-detecting the default gateway and building the vtund.conf accordingly.

To configure the script, take a look at the Configuration section. The first line of $Config contains the addresses, port, and secret that we used in the VTun hack. The second line simply serves as an example of how to add more.

To run the script, either call it as vtundconf home or set $TunnelName to the one you want to default to. Better yet, make symlinks to the script, like this:

# ln -s vtundconf home
# ln -s vtundconf tunnel2

Then you can generate the appropriate vtund.conf by calling the symlink directly:

# vtundconf home > /usr/local/etc/vtund.conf

You might be wondering why anyone would go to all of the trouble to make a vtund.conf-generating script in the first place. Once you get the settings right, you’ll never have to change them, right?

Well, usually that is the case. But consider the case of a Linux laptop that uses many different networks in the course of the day (say, a DSL line at home, Ethernet at work, and maybe a wireless connection at the local coffee shop). By running vtundconf once at each location, you will have a working configuration instantly, even if your IP and gateway is assigned by DHCP. This makes it easy to get up and running quickly with a live, routable IP address, regardless of the local network topology.

Incidentally, VTun currently runs well on Linux, FreeBSD, Mac OS X, Solaris, and others.

Save this file as vtundconf, and run it each time you use a new wireless network to generate an appropriate vtund.conf for you on the fly:

#!/usr/bin/perl -w

#

# vtund wrapper in need of a better name.

#

# (c)2002 Schuyler Erle & Rob Flickenger

#

################ CONFIGURATION

# If TunnelName is blank, the wrapper will look at @ARGV or $0.

#

# Config is TunnelName, LocalIP, RemoteIP, TunnelHost, TunnelPort, Secret

#

my $TunnelName = “”;

my $Config = q{

home 208.201.239.33 208.201.239.32 208.201.239.5 5000 sHHH

tunnel2 10.0.1.100 10.0.1.1 192.168.1.4 6001 foobar

};

################ MAIN PROGRAM BEGINS HERE

use POSIX ‘tmpnam’;

use IO::File;

use File::Basename;

use strict;

# Where to find things…

#

$ENV{PATH} = “/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/[RETURN]sbin”;

my $IP_Match = ‘((?:\d{1,3}\.){3}\d{1,3})’; # match xxx.xxx.xxx.xxx

my $Ifconfig = “ifconfig -a”;

my $Netstat = “netstat -rn”;

my $Vtund = “/bin/echo”;

my $Debug = 1;

# Load the template from the data section.

#

my $template = join( “”, );

# Open a temp file — adapted from Perl Cookbook, 1st Ed., sec. 7.5.

#

my ( $file, $name ) = (“”, “”);

$name = tmpnam( )

until $file = IO::File->new( $name, O_RDWR|O_CREAT|O_EXCL );

END { unlink( $name ) or warn “Can’t remove temporary file $name!\n”; }

# If no TunnelName is specified, use the first thing on the command line,

# or if there isn’t one, the basename of the script.

# This allows users to symlink different tunnel names to the same script.

#

$TunnelName ||= shift(@ARGV) || basename($0);

die “Can’t determine tunnel config to use!\n” unless $TunnelName;

# Parse config.

#

my ($LocalIP, $RemoteIP, $TunnelHost, $TunnelPort, $Secret);

for (split(/\r*\n+/, $Config)) {

my ($conf, @vars) = grep( $_ ne “”, split( /\s+/ ));

next if not $conf or $conf =~ /^\s*#/o; # skip blank lines, comments

if ($conf eq $TunnelName) {

($LocalIP, $RemoteIP, $TunnelHost, $TunnelPort, $Secret) = @vars;

last;

}

}

die “Can’t determine configuration for TunnelName ‘$TunnelName’!\n”

unless $RemoteIP and $TunnelHost and $TunnelPort;

# Find the default gateway.

#

my ( $GatewayIP, $ExternalDevice );

for (qx{ $Netstat }) {

# In both Linux and BSD, the gateway is the next thing on the line,

# and the interface is the last.

#

if ( /^(?:0.0.0.0|default)\s+(\S+)\s+.*?(\S+)\s*$/o ) {

$GatewayIP = $1;

$ExternalDevice = $2;

last;

}

}

die “Can’t determine default gateway!\n” unless $GatewayIP and $ExternalDevice;

# Figure out the LocalIP and LocalNetwork.

#

my ( $LocalNetwork );

my ( $iface, $addr, $up, $network, $mask ) = “”;

sub compute_netmask {

($addr, $mask) = @_;

# We have to mask $addr with $mask because linux /sbin/route

# complains if the network address doesn’t match the netmask.

#

my @ip = split( /\./, $addr );

my @mask = split( /\./, $mask );

$ip[$_] = ($ip[$_] + 0) & ($mask[$_] + 0) for (0..$#ip);

$addr = join(“.”, @ip);

return $addr;

}

for (qx{ $Ifconfig }) {

last unless defined $_;

# If we got a new device, stash the previous one (if any).

if ( /^([^\s:]+)/o ) {

if ( $iface eq $ExternalDevice and $network and $up ) {

$LocalNetwork = $network;

last;

}

$iface = $1;

$up = 0;

}

# Get the network mask for the current interface.

if ( /addr:$IP_Match.*?mask:$IP_Match/io ) {

# Linux style ifconfig.

compute_netmask($1, $2);

$network = “$addr netmask $mask”;

} elsif ( /inet $IP_Match.*?mask 0x([a-f0-9]{8})/io ) {

# BSD style ifconfig.

($addr, $mask) = ($1, $2);

$mask = join(“.”, map( hex $_, $mask =~ /(..)/gs ));

compute_netmask($addr, $mask);

$network = “$addr/$mask”;

}

# Ignore interfaces that are loopback devices or aren’t up.

$iface = “” if /\bLOOPBACK\b/o;

$up++ if /\bUP\b/o;

}

die “Can’t determine local IP address!\n” unless $LocalIP and $LocalNetwork;

# Set OS dependent variables.

#

my ( $GW, $NET, $PTP );

if ( $^O eq “linux” ) {

$GW = “gw”; $PTP = “pointopoint”; $NET = “-net”;

} else {

$GW = $PTP = $NET = “”;

}

# Parse the config template.

#

$template =~ s/(\$\w+)/$1/gee;

# Write the temp file and execute vtund.

#

if ($Debug) {

print $template;

} else {

print $file $template;

close $file;

system(“$Vtund $name”);

}

_ _DATA_ _

options {

port $TunnelPort;

ifconfig /sbin/ifconfig;

route /sbin/route;

}

default {

compress no;

speed 0;

}

# ‘mytunnel’ should really be `basename $0` or some such

# for automagic config selection

$TunnelName {

type tun;

proto tcp;

keepalive yes;

pass $Secret;

up {

ifconfig “%% $LocalIP $PTP $RemoteIP arp”;

route “add $TunnelHost $GW $GatewayIP”;

route “delete default”;

route “add default $GW $RemoteIP”;

route “add $NET $LocalNetwork $GW $GatewayIP”;

};

down {

ifconfig “%% down”;

route “delete default”;

route “delete $TunnelHost $GW $GatewayIP”;

route “delete $NET $LocalNetwork”;

route “add default $GW $GatewayIP”;

};

}

Connect two networks using VTun and a single SSH connection.

VTun is a user-space tunnel server, allowing entire networks to be tunneled to each other using the tun universal tunnel kernel driver. An encrypted tunnel such as VTun allows roaming wireless clients to secure all of their IP traffic using strong encryption. It currently runs under Linux, BSD, and Mac OS X. The examples in this hack assume that you are using Linux.

The procedure described next will allow a host with a private IP address (10.42.4.6) to bring up a new tunnel interface with a real, live, routed IP address (208.201.239.33) that works as expected, as if the private network weren’t even there. Do this by bringing up the tunnel, dropping the default route, and then adding a new default route via the other end of the tunnel.

To begin with, here is the (pretunneled) network configuration:

root@client:~# ifconfig eth2

eth2 Link encap:Ethernet HWaddr 00:02:2D:2A:27:EA

inet addr:10.42.3.2 Bcast:10.42.3.63 Mask:255.255.255.192

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:662 errors:0 dropped:0 overruns:0 frame:0

TX packets:733 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:105616 (103.1 Kb) TX bytes:74259 (72.5 Kb)

Interrupt:3 Base address:0x100

root@client:~# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

10.42.3.0 * 255.255.255.192 U 0 0 0 eth2

loopback * 255.0.0.0 U 0 0 0 lo

default 10.42.3.1 0.0.0.0 UG 0 0 0 eth2

As you can see, the local network is 10.42.3.0/26, the IP is 10.42.3.2, and the default gateway is 10.42.3.1. This gateway provides network address translation (NAT) to the Internet. Here’s what the path looks like to yahoo.com:

root@client:~# traceroute -n yahoo.com

traceroute to yahoo.com (64.58.79.230), 30 hops max, 40 byte packets

1 10.42.3.1 2.848 ms 2.304 ms 2.915 ms

2 209.204.179.1 16.654 ms 16.052 ms 19.224 ms

3 208.201.224.194 20.112 ms 20.863 ms 18.238 ms

4 208.201.224.5 213.466 ms 338.259 ms 357.7 ms

5 206.24.221.217 20.743 ms 23.504 ms 24.192 ms

6 206.24.210.62 22.379 ms 30.948 ms 54.475 ms

7 206.24.226.104 94.263 ms 94.192 ms 91.825 ms

8 206.24.238.61 97.107 ms 91.005 ms 91.133 ms

9 206.24.238.26 95.443 ms 98.846 ms 100.055 ms

10 216.109.66.7 92.133 ms 97.419 ms 94.22 ms

11 216.33.98.19 99.491 ms 94.661 ms 100.002 ms

12 216.35.210.126 97.945 ms 93.608 ms 95.347 ms

13 64.58.77.41 98.607 ms 99.588 ms 97.816 ms

In this example, we are connecting to a tunnel server on the Internet at 208.201.239.5. It has two spare live IP addresses (208.201.239.32 and 208.201.239.33) to be used for tunneling. We’ll refer to that machine as the server, and our local machine as the client.

Now let’s get the tunnel running. To begin with, load the tun driver on both machines:

# modprobe tun

It is worth noting that the tun driver will sometimes fail if the server and client kernel versions don’t match. For best results, use a recent kernel (and the same version, e.g., 2.4.20) on both machines.

On the server machine, save this file to /usr/local/etc/vtund.conf:

options {

port 5000;

ifconfig /sbin/ifconfig;

route /sbin/route;

syslog auth;

}

default {

compress no;

speed 0;

}

home {

type tun;

proto tcp;

stat yes;

keepalive yes;

pass sHHH; # Password is REQUIRED.

up {

ifconfig “%% 208.201.239.32 pointopoint 208.201.239.33”;

program /sbin/arp “-Ds 208.201.239.33 %% pub”;

program /sbin/arp “-Ds 208.201.239.33 eth0 pub”;

route “add -net 10.42.0.0/16 gw 208.201.239.33”;

};

down {

program /sbin/arp “-d 208.201.239.33 -i %%”;

program /sbin/arp “-d 208.201.239.33 -i eth0”;

route “del -net 10.42.0.0/16 gw 208.201.239.33”;

};

}

Launch the vtund server like so:

root@server:~# vtund -s

Now you’ll need a vtund.conf file for the client side. Try this one, again in /usr/local/etc/vtund.conf:

options {

port 5000;

ifconfig /sbin/ifconfig;

route /sbin/route;

}

default {

compress no;

speed 0;

}

home {

type tun;

proto tcp;

keepalive yes;

pass sHHH; # Password is REQUIRED.

up {

ifconfig “%% 208.201.239.33 pointopoint 208.201.239.32 arp”;

route “add 208.201.239.5 gw 10.42.3.1”;

route “del default”;

route “add default gw 208.201.239.32”;

};

down {

route “del default”;

route “del 208.201.239.5 gw 10.42.3.1”;

route “add default gw 10.42.3.1”;

};

}

Finally, run this command on the client:

root@client:~# vtund -p home server

Presto! Not only do you have a tunnel up between client and server, but also a new default route via the other end of the tunnel. Take a look at what happens when we traceroute to yahoo.com with the tunnel in place:

root@client:~# traceroute -n yahoo.com

traceroute to yahoo.com (64.58.79.230), 30 hops max, 40 byte packets

1 208.201.239.32 24.368 ms 28.019 ms 19.114 ms

2 208.201.239.1 21.677 ms 22.644 ms 23.489 ms

3 208.201.224.194 20.41 ms 22.997 ms 23.788 ms

4 208.201.224.5 26.496 ms 23.8 ms 25.752 ms

5 206.24.221.217 26.174 ms 28.077 ms 26.344 ms

6 206.24.210.62 26.484 ms 27.851 ms 25.015 ms

7 206.24.226.103 104.22 ms 114.278 ms 108.575 ms

8 206.24.238.57 99.978 ms 99.028 ms 100.976 ms

9 206.24.238.26 103.749 ms 101.416 ms 101.09 ms

10 216.109.66.132 102.426 ms 104.222 ms 98.675 ms

11 216.33.98.19 99.985 ms 99.618 ms 103.827 ms

12 216.35.210.126 104.075 ms 103.247 ms 106.398 ms

13 64.58.77.41 107.219 ms 106.285 ms 101.169 ms

This means that any server processes running on the client are now fully available to the Internet, at IP address 208.201.239.33. This has all happened without making a single change (e.g., port forwarding) on the gateway 10.42.3.1.

Here’s what the new tunnel interface looks like on the client:

root@client:~# ifconfig tun0

tun0 Link encap:Point-to-Point Protocol

inet addr:208.201.239.33 P-t-P:208.201.239.32 Mask:255.255.255.255

UP POINTOPOINT RUNNING MULTICAST MTU:1500 Metric:1

RX packets:39 errors:0 dropped:0 overruns:0 frame:0

TX packets:39 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:10

RX bytes:2220 (2.1 Kb) TX bytes:1560 (1.5 Kb)

And here’s the updated routing table (note that we still need to keep a host route to the tunnel server’s IP address via our old default gateway; otherwise, the tunnel traffic can’t get out):

root@client:~# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

208.201.239.5 10.42.3.1 255.255.255.255 UGH 0 0 0 eth2

208.201.239.32 * 255.255.255.255 UH 0 0 0 tun0

10.42.3.0 * 255.255.255.192 U 0 0 0 eth2

10.42.4.0 * 255.255.255.192 U 0 0 0 eth0

loopback * 255.0.0.0 U 0 0 0 lo

default 208.201.239.32 0.0.0.0 UG 0 0 0 tun0

To bring down the tunnel, simply kill the vtund process on client. This restores all network settings back to their original states.

This method works fine if you trust VTun to use strong encryption and to be free from remote exploits. Personally, I don’t think you can be too paranoid when it comes to machines connected to the Internet. To use VTun over SSH (and therefore rely on the strong authentication and encryption that SSH provides), simply forward port 5000 on the client to the same port on the server. Give this a try:

root@client:~# ssh -f -N -c blowfish -C -L5000:localhost:5000 server

root@client:~# vtund -p home localhost

root@client:~# traceroute -n yahoo.com

traceroute to yahoo.com (64.58.79.230), 30 hops max, 40 byte packets

1 208.201.239.32 24.715 ms 31.713 ms 29.519 ms

2 208.201.239.1 28.389 ms 36.247 ms 28.879 ms

3 208.201.224.194 48.777 ms 28.602 ms 44.024 ms

4 208.201.224.5 38.788 ms 35.608 ms 35.72 ms

5 206.24.221.217 37.729 ms 38.821 ms 43.489 ms

6 206.24.210.62 39.577 ms 43.784 ms 34.711 ms

7 206.24.226.103 110.761 ms 111.246 ms 117.15 ms

8 206.24.238.57 112.569 ms 113.2 ms 111.773 ms

9 206.24.238.26 111.466 ms 123.051 ms 118.58 ms

10 216.109.66.132 113.79 ms 119.143 ms 109.934 ms

11 216.33.98.19 111.948 ms 117.959 ms 122.269 ms

12 216.35.210.126 113.472 ms 111.129 ms 118.079 ms

13 64.58.77.41 110.923 ms 110.733 ms 115.22 ms

In order to discourage connections to vtund on port 5000 of the server, add a net filter rule to drop connections from the outside world:

root@server:~# iptables -A INPUT -t filter -i eth0 \

-p tcp –dport 5000 -j DROP

This allows local connections to get through (since they use loopback), and therefore requires an SSH tunnel to the server before accepting a connection.

As you can see, this can be an extremely handy tool to have around. In addition to giving live IP addresses to machines behind a NAT, you can effectively connect any two networks if you can obtain a single SSH connection between them (originating from either direction).

If your head is swimming from this vtund.conf configuration or you’re feeling lazy and don’t want to figure out what to change when setting up your own client’s vtund.conf file, take a look at the automatic vtund.conf generator [Hack #79] .