Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I want to make an transparent chain-proxy
using a redirect server and chain proxy client written in Qt for Windows.
I've tried ndis+tdi but it's too complicated for me.
I've started to break through the openVPN code.
So the task is to start dummy tap device even if there no need in OpenVPN connection and redirect packets to some addr:port on wich my redirect server will be bound.
Maybe it is better to implement new plugin functions ??...
You can use OpenVPN's TUN/TAP driver ("TAP-Win32") as-is to implement a network device backed by software. I'm not sure what you mean by "rewritten OpenVPN tun/tap driver"; you don't need to modify any existing code - just write your own program which opens TAP-Win32 and reads and writes frames/packets. You don't need any other part of OpenVPN, just TAP-Win32.
However, if you use the TUN/TAP driver, you will have to deal with individual frames/packets. If you will be redirecting just TCP (i.e. you'll redirect connections not packets), it may be useful to have your redirection program only provide a local SOCKS server. With SOCKS you get to work with connections and not packets. If a given network program supports SOCKS, you can simply tell it to use your SOCKS server.
On the other hand, if you want to be able to redirect for all applications, not just those which understand SOCKS (or you don't want to configure each application for SOCKS), you can use a program which will allow you to forward raw TCP connections (on packet level) through your SOCKS server. See my program tun2socks.
Once you have a program operating a TAP-Win32 device, update the routing table to get packets routed into it. You probably want to make it the default route, overriding any previous default routes. But be aware that the routing table applies to the redirection program itself too, so you need to add specific routes for hosts that the redirection program connects to, or they will end up going back into the TAP device. The tun2socks page expains how to do that when using SSH forwarding.
Update: tun2socks deals only with the TUN device and simply forwards all incoming connections. It doesn't decide what you want to forward. Even if it had some policies (like port numbers), it couldn't do anything useful with that info. For example, if it responds with a reject packet, the connection will simply fail - and the OS will not look for an alternative route. (it could forward connections to different SOCKS servers - but I think that would be of no use in your case)
The feature you seem to need is called "policy routing", and it needs to be offered by your operating system. Unfortunately, it appears that Windows does not provide policy routing. If you really need it, you may want to use Linux instead, which provides many more network-related features than Windows (policy routing being one).
Alternatively, instead of using tun2socks, some userspace socksification tool may work for you. These are programs that hook network-related system calls when launching a specific application, in order to make the connections go, for example, through SOCKS. If such an application supports routing rules, it may fit your needs.
An example of such a tool for Windows is ProxyCap (commercial software), which claims support for "flexible routing rules".
Related
I am setting up port scanner for remote server in my application using Go. I am using DialTimeout function in Go net package to check whether a remote host port is opened or not. The result is fine with success case. But, if i/o timeout happens, I need to identify whether
The port is closed (No service is running) or
Port is blocked (Firewall filtered) or
Due to internet connectivity down in local system where the application is running.
Have tried nmap cli command, I can able to differentiate those failure 3 cases exactly.
nmap command tried: nmap -sA -p port_number host_ip
I found a Go 3rd party libray to use nmap.
But, I don't want to use nmap in my application. Are there any other alternatives in Go to exactly differentiate those 3 cases?
In the simple world
Lets assume you want to scan a Linux system.
If you get an ICMP message type 3 code 3, the firewall explicitly told you:
Hi, I am the firewall of your target host. The host is running. I hereby inform you that you (potentially amongst others) can not access this port. So now that you know you should quit your connection attempts. However, I won't tell you wether it is because there is no service running behind it (in which case my response is simply a courtesy) or because I was told to deny you access. Goodbye!
The port is closed if you do not get above answer and can not make a connection. I hence strongly advice to use context.WithTimeout to make a connection.
In the real world
However, this only applies if the admin of the target host did not change the ICMP message type to respond with - or chose just to drop any packets coming from sources which are not allowed to access the respective service. In the latter case, there is no way for you to know wether the port is closed or filtered.
All of the above only applies if we are talking of an iptables based firewall on the target system with default settings.
Now assume something which is by far more likely: A border firewall plus a local firewall. The border firewall might send other ICMP messages (or, again, simply drop your packages). Those rules apply additionally to the rules of the local firewall. So it is a misconception that you are actually scanning a host. It is more accurate to say that you scan the services reachable via a specific IP.
EDIT
Why would one send an ICMP message explicitly rejecting connection attempts?
There are various reasons to come to that decision. There is a good answer on serverfault.com
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
The community reviewed whether to reopen this question 12 months ago and left it closed:
Not suitable for this site This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I would like to block all connections to my server that use a VPN or Proxy. Is there anyway to detect that a VPN or proxy connection is being used? If not, is there anyway that I can check the likelihood that a VPN or proxy is being used? Lastly, is there anything that I can query or prompt the user with to check if they are using a VPN or Proxy so that if anyone does get through, I can try and perform additional verification? I do not need any information from the user such as location, true IP, or anything like that. I just want to entirely bar connections from VPNs or Proxies.
Edit: I've been thinking that I could potentially run a test to see if there is consistent discrepancies between ping to the VPN IP and the detectable latency of the client, but that sounds pretty unreliable.
Edit2: A proxy or VPN server would likely have many more ports open than a standard home connection so I could use the number of ports open to help gauge the likelihood of a connection coming from a VPN by running a port scan of the person connecting.
Unfortunately, there's is no proper technical way to get the information you want. You might invent some tests, but those will have a very low correlation with the reality. So either you'll not catch those you want, or you'll have a larger number of false positives. Neither can be considered to make sense.
Generating any kind of traffic backwards from an Internet server in response to an incoming client (a port scan, or even a simple ping) is generally frowned upon. Or, in the case of a port scan, it may be even worse for you, eg when the client lives behind a central corporate firewall, the worst of which is when the client comes from behind the central government network firewall pool...
Frankly, IP-based bans (or actually, any kind of limiting focusing on people who do not exclusively possess their public IP address: proxy servers, VPNs, NAT devices, etc) have been unrealistic for a long time, and as the IPv4 pools have been getting depleted in many parts of the world, ISPs are putting more and more clients behind large NAT pools (it's this week's news in my country that the largest ISP, a subsidiary of Deutsche Telekom, has started handing out private IPv4 addresses as a standard way of business to its customers, and people have to ask the provider explicitly to get a public IP address), so there's even less and less point in doing so. If you want to ban clients, you should ban them based on identity (account), and not based on IP address.
At IPinfo we offer a privacy detection API, which will let you know if a connection is coming from a VPN, an anonymous proxy, a tor exit node, or a hosting provider (which could be used to tunnel traffic). Here's an example:
$ curl ipinfo.io/43.241.71.120/privacy?token=$TOKEN
{
"vpn": true,
"proxy": false,
"tor": false,
"hosting": true
}
If you wanted to block connections to your site from VPNs then you could make an API request to get this information, and reply with an error if it's detected as a VPN. In PHP that would look something like this:
$ip = $_SERVER['REMOTE_ADDR'];
$url = "http://ipinfo.io/{$ip}/privacy?token={$IPINFO_API_TOKEN}";
$details = json_decode(file_get_contents($url));
// Just block VPNs
if($details->vpn) {
return echo "VPN Access Blocked!";
}
// Or we could block all the other types of private / anonymous connections...
if($details->vpn || $details->proxy || $details->tor || $details->hosting) {
return echo "Access Blocked!";
}
The simplest way to do this is to use an external service like an API to block VPN or proxy users.
MaxMind and GetIPIntel both offer it via API, you might want to give it a try. GetIPIntel provides free API service so I suggest you try that first.
For OpenVPN, someone used unique MSS values to identify VPN connections but the setup is complicated and it might be "patched" now.
The strategies you've mentioned in your edits don't seem like a very good idea because you'll run into many false positives. Sending out port scans whenever they connect to your service is going to take a lot of time and resources before you get the results.
List of Tor exit nodes is publicly available. You only want "exit nodes" and it's available as CSV. This should be 100% complete and accurate as it's generated directly from Tor directory.
A free list of open proxies is available from iblocklist.com. A free list that incorporates open proxies, Tor nodes and VPN endpoints from ip2location.com.
The last two have most likely limited coverage and accuracy, especially as it comes to VPN exit nodes - there's just too many of them. Some providers take another approach and consider all "hosted subnets" (subnets from which ISPs assign their clients IPs for hosted servers) as some kind of VPN or proxy, as end-users should be connecting from "consumer" subnets.
Yes, you can detect whether an IP belongs to a VPN/ proxy using Shodan. The following Python code shows how to do it:
import shodan
# Setup the API wrapper
api = shodan.Shodan('YOUR API KEY') # Free API key from https://account.shodan.io
# Lookup the list of services an IP runs
ipinfo = api.host(VISITOR_IP)
# Check whether the IP runs a VPN service by looking for the "vpn" tag
if 'tags' in ipinfo and 'vpn' in ipinfo['tags']:
print('{} is connecting from a VPN'.format(VISITOR_IP))
You can also look at the list of ports to determine the likelihood that the visitor is connecting from a HTTP proxy:
if 8080 in ipinfo['ports']:
print('{} is running a web server on a common proxy port'.format(VISITOR_IP))
Btw you can do this now using our new, free InternetDB API. For example:
import requests
VISITOR_IP = "5.45.38.184" # In production this would be the IP of your visitor
info = requests.get(f"https://internetdb.shodan.io/{VISITOR_IP}").json()
if "vpn" in info["tags"]:
print(f"{VISITOR_IP} is connecting from a VPN")
You can download a list of known proxy IP addresses and lookup locally to see if it is VPN, open proxy etcs.
There are several commercial products in the market. IP2Proxy LITE is a free one you can try immediately.
Get (somehow) list of IP of proxy servers.
Measure round trip ping time to user. Helps in online websocket games. Games are playable with ping under 50ms, so you can disconnect users with ping about 100ms and greater with a message "Sorry, too large ping".
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
Do I need to forward these ports? Is there a way to do it on Windows 7? I've tried using a program named smart port forwarding but it crashes when the program is running. Thanks in advance.
You shouldn't need to forward those ports in order to be able to run the applications. Chrome and Steam are connecting through those ports to the internet because they are ones that the operating system says are available for outgoing connections and provided them with that unique port number when each application asked for it.
These applications should all run fine for you, without needing to open any ports. Opening a port is most always to let incoming traffic be accepted, not for outgoing traffic to be stopped. A telltale sign that a port is not open is that no connection can be made. If you tried to connect over the internet (port 80) to most random IP addresses, you won't be able to find anything, because the device at that IP address rejected your attempt to open that port to them. So because you are (I am assuming) able to successfully run both Chrome and Steam and have them be able to connect to the internet, you shouldn't be facing a port forwarding issue. The port numbers are just assigned essentially at random each time that an application needs to open an outgoing socket. (this being a simplification of the whole paradigm, but hopefully enough to be able to answer this question).
Edit: And yes, like #Rumesh-Eranga pointed out as well, port forwarding is done at the router level (on the internet router itself) and not at the computer level. It's a way of saying to the router "alright, any time this network receives a request to open port XYZ, send it to this computer that is connected to our local network."
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
On Windows 7 I have an SSH tunnel running on my local 127.0.0.1:34567 address that I need to access so I can access 12.34.56.78:8080 with the help of SSH proxying for me as I cannot access that IP directly (due to not being on the whitelist).
My basic simple goal therefore is that on Windows whenever I request 12.34.56.78:8080 from anywhere (my browser for instance), I would like the request to instead be diverted to 127.0.0.1:34567 transparently, and I would like a software solution to this instead of a hardware one if possible. I think this is what's usually achieved in Linux by something called iptables, but I'm looking for something I can use on windows.
Does anyone know how this is possible? If I need to use any external Windows program for this, that is fine, but I prefer it to be free.
EDIT: please do not present me with reverse tunnel solutions. My goal is to request the same ip:port that I'm blocked from, but to be able to get to that ip:port successfully through the means of my existing SSH tunnel. Reverse tunnels involve requesting a different ip:port which is not what I'm looking for (I already have a forward tunnel I can use if I wanted to make requests to a different ip:port).
Example scenario: Pretend that you have an C-compiled .exe file whose source code you don't have access to that is hardcoded to request 12.34.56.78:8000 for SOAP webservices. The problem is, your IP is blocked from that ip:port, but you do have access to an SSH server which isn't blocked by 210.212.239.117:8080 and also have an SSH tunnel set up for that SSH server to access that ip:port... but your .exe has the original ip:port hardcoded, so you can't just tell it to request the SSH tunnel ip:port, as it's not possible to change the ip:port to be requested in any way due to it being hardcoded! You would have to have the request to 210.212.239.117:8080 on your computer somehow diverted to your SSH tunnel on the OS level. So how would you get that done?
EDIT 2: I'm not looking for routing tables either (I think). I don't want to modify the route my request goes through to reach target ip:port; I actually want to have the requested ip and port themselves silently changed. I kind of want to achieve something like the hosts file, except instead of resolving hostnames to ips, I want ip:ports to be reresolved to different ip:ports.
Bounty: Sorry, it appears this stackoverflow question of mine counts as Offtopic and isn't eligable for offering a bounty, so sorry to anyone who put in extra work and would have potentially received the bounty!
I haven't found a ready executable, but WFPSampler seems to be promising. It uses the new Windows Filtering Platform API (available since Windows Vista) to manipulate packets.
To use it for redirecting outgoing packets, give a look at Q&A section, there are many examples.
Check out BarbaTunnel: http://barbatunnel.codeplex.com/
TCP-Redirect mode is probably what you're looking for.
You can use a reverse shell. It can mirror a remote port. Use ssh to connect with -R option. For example ssh -R xxxx:localhost:xxxx user:pass#www.server.com. Check this out:http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I'm writing a windows service which will expose an http RESTful web service for other processes on the machine. This will be deployed to lots of machines on various corporate desktops that I have little/no control over. How should I choose which port my service should listen on?
I'll make it configurable, but need to know how to choose some reasonable default(s).
fyi I'm planning on using .NET 3.5 (unable to use 4.0 for deployment reasons) and WCF with WCF REST Starter Toolkit.
UPDATE: to clarify, these are corporate non-development machines. I want to choose a port that's not likely to be used for anything else. I guess from this list of PORT NUMBERS (thanks #Pascal Thivent) that I should choose one in the dynamic/private range
The Dynamic and/or Private Ports are those from 49152 through 65535
So is there any better way of choosing a port within that range, or do I just choose randomly?
The official assignments registred with the Internet Assigned Numbers Authority (IANA) for HTTP are:
80: standard port for HTTP,
8080: HTTP alternate (commonly used by cache or proxy or web server running as a non-root user)
The ports below are non official ports (not registered with IANA) that are also used:
8081: HTTP alternate
8090: HTTP alternate (used as an alternative to port 8080)
I don't know what kind of machines you are targeting but if they include development machines, I would probably use 8090 to minimize possible conflicts.
References
PORT NUMBERS
List of TCP and UDP port numbers
Ultimately we chose an arbitrary unused port in the Registered Port range - from 1024 through 49151 - and then made it configurable on the offchance someone comes along and uses that port for something else. Best solution would then be to register that port.
We chose not to use a dynamic port as processes are able to arbitrarily start using them, so it'd be less consistent whether the port was available.
If your service is HTTP then you should use port 80 - the standard HTTP port. This is typical of most REST webservices.