iptable matching rule for STUN/TURN traffic

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
0
down vote

favorite












I am looking for finding TURN/STUN packets coming on a 443 port.
According to the TURN RFC, Bytes 46 to 49 are TURN packet magic cookie '2112a442'. Here is the screenshot from wireshark where I found the STUN cookie to be from 46 to 49



I am using -m u32 --u32 "46=0x2112A442" but am not able to filter them.



Here is my complete iptable rule



-A PREROUTING -i eth0 -p tcp --dport 443 -m u32 --u32 "46=0x2112A442" -j REDIRECT --to-port 3478


Any Idea what I could be doing wrong?




iptables nat




share|improve this question





















  • Please edit your question and show us the entire iptables command line, and perhaps some overall context (i.e. you entire iptables rule set).
    – Doug Smythies
    Jun 5 at 14:30










  • How did you get the offset of 46? I calculate 24, but am finding it hard to figure out for certain.
    – Doug Smythies
    Jun 5 at 21:24










  • I got it from wireshark. I captured some wireshark STUN packets and all of them have the magic cookie at this location 46. Please find the screenshot attached from wireshark
    – Mystic monk
    Jun 6 at 5:57










  • Yes, but I do not think that the u32 module includes the ethernet wrapper bytes, so its offset needs to be different (try 32). It is late in my time zone, I'll work on this tomorrow. Thanks for the wireshark screen shot.
    – Doug Smythies
    Jun 6 at 6:29














up vote
0
down vote

favorite












I am looking for finding TURN/STUN packets coming on a 443 port.
According to the TURN RFC, Bytes 46 to 49 are TURN packet magic cookie '2112a442'. Here is the screenshot from wireshark where I found the STUN cookie to be from 46 to 49



I am using -m u32 --u32 "46=0x2112A442" but am not able to filter them.



Here is my complete iptable rule



-A PREROUTING -i eth0 -p tcp --dport 443 -m u32 --u32 "46=0x2112A442" -j REDIRECT --to-port 3478


Any Idea what I could be doing wrong?




iptables nat




share|improve this question





















  • Please edit your question and show us the entire iptables command line, and perhaps some overall context (i.e. you entire iptables rule set).
    – Doug Smythies
    Jun 5 at 14:30










  • How did you get the offset of 46? I calculate 24, but am finding it hard to figure out for certain.
    – Doug Smythies
    Jun 5 at 21:24










  • I got it from wireshark. I captured some wireshark STUN packets and all of them have the magic cookie at this location 46. Please find the screenshot attached from wireshark
    – Mystic monk
    Jun 6 at 5:57










  • Yes, but I do not think that the u32 module includes the ethernet wrapper bytes, so its offset needs to be different (try 32). It is late in my time zone, I'll work on this tomorrow. Thanks for the wireshark screen shot.
    – Doug Smythies
    Jun 6 at 6:29












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I am looking for finding TURN/STUN packets coming on a 443 port.
According to the TURN RFC, Bytes 46 to 49 are TURN packet magic cookie '2112a442'. Here is the screenshot from wireshark where I found the STUN cookie to be from 46 to 49



I am using -m u32 --u32 "46=0x2112A442" but am not able to filter them.



Here is my complete iptable rule



-A PREROUTING -i eth0 -p tcp --dport 443 -m u32 --u32 "46=0x2112A442" -j REDIRECT --to-port 3478


Any Idea what I could be doing wrong?




iptables nat




share|improve this question













I am looking for finding TURN/STUN packets coming on a 443 port.
According to the TURN RFC, Bytes 46 to 49 are TURN packet magic cookie '2112a442'. Here is the screenshot from wireshark where I found the STUN cookie to be from 46 to 49



I am using -m u32 --u32 "46=0x2112A442" but am not able to filter them.



Here is my complete iptable rule



-A PREROUTING -i eth0 -p tcp --dport 443 -m u32 --u32 "46=0x2112A442" -j REDIRECT --to-port 3478


Any Idea what I could be doing wrong?





iptables nat





share|improve this question












share|improve this question




share|improve this question








edited Jun 6 at 6:27









muru

128k19269459




128k19269459









asked Jun 5 at 9:11









Mystic monk

53




53











  • Please edit your question and show us the entire iptables command line, and perhaps some overall context (i.e. you entire iptables rule set).
    – Doug Smythies
    Jun 5 at 14:30










  • How did you get the offset of 46? I calculate 24, but am finding it hard to figure out for certain.
    – Doug Smythies
    Jun 5 at 21:24










  • I got it from wireshark. I captured some wireshark STUN packets and all of them have the magic cookie at this location 46. Please find the screenshot attached from wireshark
    – Mystic monk
    Jun 6 at 5:57










  • Yes, but I do not think that the u32 module includes the ethernet wrapper bytes, so its offset needs to be different (try 32). It is late in my time zone, I'll work on this tomorrow. Thanks for the wireshark screen shot.
    – Doug Smythies
    Jun 6 at 6:29
















  • Please edit your question and show us the entire iptables command line, and perhaps some overall context (i.e. you entire iptables rule set).
    – Doug Smythies
    Jun 5 at 14:30










  • How did you get the offset of 46? I calculate 24, but am finding it hard to figure out for certain.
    – Doug Smythies
    Jun 5 at 21:24










  • I got it from wireshark. I captured some wireshark STUN packets and all of them have the magic cookie at this location 46. Please find the screenshot attached from wireshark
    – Mystic monk
    Jun 6 at 5:57










  • Yes, but I do not think that the u32 module includes the ethernet wrapper bytes, so its offset needs to be different (try 32). It is late in my time zone, I'll work on this tomorrow. Thanks for the wireshark screen shot.
    – Doug Smythies
    Jun 6 at 6:29















Please edit your question and show us the entire iptables command line, and perhaps some overall context (i.e. you entire iptables rule set).
– Doug Smythies
Jun 5 at 14:30




Please edit your question and show us the entire iptables command line, and perhaps some overall context (i.e. you entire iptables rule set).
– Doug Smythies
Jun 5 at 14:30












How did you get the offset of 46? I calculate 24, but am finding it hard to figure out for certain.
– Doug Smythies
Jun 5 at 21:24




How did you get the offset of 46? I calculate 24, but am finding it hard to figure out for certain.
– Doug Smythies
Jun 5 at 21:24












I got it from wireshark. I captured some wireshark STUN packets and all of them have the magic cookie at this location 46. Please find the screenshot attached from wireshark
– Mystic monk
Jun 6 at 5:57




I got it from wireshark. I captured some wireshark STUN packets and all of them have the magic cookie at this location 46. Please find the screenshot attached from wireshark
– Mystic monk
Jun 6 at 5:57












Yes, but I do not think that the u32 module includes the ethernet wrapper bytes, so its offset needs to be different (try 32). It is late in my time zone, I'll work on this tomorrow. Thanks for the wireshark screen shot.
– Doug Smythies
Jun 6 at 6:29




Yes, but I do not think that the u32 module includes the ethernet wrapper bytes, so its offset needs to be different (try 32). It is late in my time zone, I'll work on this tomorrow. Thanks for the wireshark screen shot.
– Doug Smythies
Jun 6 at 6:29










1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










The iptables u32 module offsets are referenced to the packet minus the ethernet wrapper (minus the source and destination MAC, 6 bytes each, and the ether type, 2 bytes. Therefore your wireshark offset of 46 needs to adjusted by 14, and should be 32.



Now, for a sanity check, find the type of service byte, which we know from the u32 area of the man pages for iptables-extensions is at offset 9 and we also know is 0x11 (17) for UDP. It is at byte 0x17 (23) of your wireshark screenshot. Counting from there, we also get 32 as the offset you should be using.



EDIT 1: Since the protocol is UDP, you also need to adjust that part of your iptables command. So:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 443 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478


EDIT 2: In your example wireshark screen shot, the destination port is 5004, not 443. So the iptables command still will not work for your particular packet example. Maybe this:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 5004 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478





share|improve this answer























  • Thanks a lot Doug! That did helped me. It worked for udp! However, TCP packets still I am unable to match. I used 44 (+12 for TCP ) Am I missing something here?
    – Mystic monk
    Jun 6 at 15:40










  • I only learned about this stuff yesterday, but thought that STUN was only on UDP. I do not know about STUN on TCP. Maybe start a new question for TCP, and include a wireshark screenshot again, and include a reference to this question.
    – Doug Smythies
    Jun 6 at 15:52










  • Thats awesome. STUN can used on both tcp and udp. I need to collect wirehark logs. I will start a new question with wireshark log tomorrow.
    – Mystic monk
    Jun 6 at 16:10











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1043752%2fiptable-matching-rule-for-stun-turn-traffic%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










The iptables u32 module offsets are referenced to the packet minus the ethernet wrapper (minus the source and destination MAC, 6 bytes each, and the ether type, 2 bytes. Therefore your wireshark offset of 46 needs to adjusted by 14, and should be 32.



Now, for a sanity check, find the type of service byte, which we know from the u32 area of the man pages for iptables-extensions is at offset 9 and we also know is 0x11 (17) for UDP. It is at byte 0x17 (23) of your wireshark screenshot. Counting from there, we also get 32 as the offset you should be using.



EDIT 1: Since the protocol is UDP, you also need to adjust that part of your iptables command. So:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 443 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478


EDIT 2: In your example wireshark screen shot, the destination port is 5004, not 443. So the iptables command still will not work for your particular packet example. Maybe this:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 5004 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478





share|improve this answer























  • Thanks a lot Doug! That did helped me. It worked for udp! However, TCP packets still I am unable to match. I used 44 (+12 for TCP ) Am I missing something here?
    – Mystic monk
    Jun 6 at 15:40










  • I only learned about this stuff yesterday, but thought that STUN was only on UDP. I do not know about STUN on TCP. Maybe start a new question for TCP, and include a wireshark screenshot again, and include a reference to this question.
    – Doug Smythies
    Jun 6 at 15:52










  • Thats awesome. STUN can used on both tcp and udp. I need to collect wirehark logs. I will start a new question with wireshark log tomorrow.
    – Mystic monk
    Jun 6 at 16:10















up vote
1
down vote



accepted










The iptables u32 module offsets are referenced to the packet minus the ethernet wrapper (minus the source and destination MAC, 6 bytes each, and the ether type, 2 bytes. Therefore your wireshark offset of 46 needs to adjusted by 14, and should be 32.



Now, for a sanity check, find the type of service byte, which we know from the u32 area of the man pages for iptables-extensions is at offset 9 and we also know is 0x11 (17) for UDP. It is at byte 0x17 (23) of your wireshark screenshot. Counting from there, we also get 32 as the offset you should be using.



EDIT 1: Since the protocol is UDP, you also need to adjust that part of your iptables command. So:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 443 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478


EDIT 2: In your example wireshark screen shot, the destination port is 5004, not 443. So the iptables command still will not work for your particular packet example. Maybe this:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 5004 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478





share|improve this answer























  • Thanks a lot Doug! That did helped me. It worked for udp! However, TCP packets still I am unable to match. I used 44 (+12 for TCP ) Am I missing something here?
    – Mystic monk
    Jun 6 at 15:40










  • I only learned about this stuff yesterday, but thought that STUN was only on UDP. I do not know about STUN on TCP. Maybe start a new question for TCP, and include a wireshark screenshot again, and include a reference to this question.
    – Doug Smythies
    Jun 6 at 15:52










  • Thats awesome. STUN can used on both tcp and udp. I need to collect wirehark logs. I will start a new question with wireshark log tomorrow.
    – Mystic monk
    Jun 6 at 16:10













up vote
1
down vote



accepted







up vote
1
down vote



accepted






The iptables u32 module offsets are referenced to the packet minus the ethernet wrapper (minus the source and destination MAC, 6 bytes each, and the ether type, 2 bytes. Therefore your wireshark offset of 46 needs to adjusted by 14, and should be 32.



Now, for a sanity check, find the type of service byte, which we know from the u32 area of the man pages for iptables-extensions is at offset 9 and we also know is 0x11 (17) for UDP. It is at byte 0x17 (23) of your wireshark screenshot. Counting from there, we also get 32 as the offset you should be using.



EDIT 1: Since the protocol is UDP, you also need to adjust that part of your iptables command. So:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 443 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478


EDIT 2: In your example wireshark screen shot, the destination port is 5004, not 443. So the iptables command still will not work for your particular packet example. Maybe this:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 5004 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478





share|improve this answer















The iptables u32 module offsets are referenced to the packet minus the ethernet wrapper (minus the source and destination MAC, 6 bytes each, and the ether type, 2 bytes. Therefore your wireshark offset of 46 needs to adjusted by 14, and should be 32.



Now, for a sanity check, find the type of service byte, which we know from the u32 area of the man pages for iptables-extensions is at offset 9 and we also know is 0x11 (17) for UDP. It is at byte 0x17 (23) of your wireshark screenshot. Counting from there, we also get 32 as the offset you should be using.



EDIT 1: Since the protocol is UDP, you also need to adjust that part of your iptables command. So:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 443 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478


EDIT 2: In your example wireshark screen shot, the destination port is 5004, not 443. So the iptables command still will not work for your particular packet example. Maybe this:



sudo iptables -A PREROUTING -i eth0 -p udp --dport 5004 -m u32 --u32 "32=0x2112A442" -j REDIRECT --to-port 3478






share|improve this answer















share|improve this answer



share|improve this answer








edited Jun 6 at 14:36


























answered Jun 6 at 14:07









Doug Smythies

6,24631426




6,24631426











  • Thanks a lot Doug! That did helped me. It worked for udp! However, TCP packets still I am unable to match. I used 44 (+12 for TCP ) Am I missing something here?
    – Mystic monk
    Jun 6 at 15:40










  • I only learned about this stuff yesterday, but thought that STUN was only on UDP. I do not know about STUN on TCP. Maybe start a new question for TCP, and include a wireshark screenshot again, and include a reference to this question.
    – Doug Smythies
    Jun 6 at 15:52










  • Thats awesome. STUN can used on both tcp and udp. I need to collect wirehark logs. I will start a new question with wireshark log tomorrow.
    – Mystic monk
    Jun 6 at 16:10

















  • Thanks a lot Doug! That did helped me. It worked for udp! However, TCP packets still I am unable to match. I used 44 (+12 for TCP ) Am I missing something here?
    – Mystic monk
    Jun 6 at 15:40










  • I only learned about this stuff yesterday, but thought that STUN was only on UDP. I do not know about STUN on TCP. Maybe start a new question for TCP, and include a wireshark screenshot again, and include a reference to this question.
    – Doug Smythies
    Jun 6 at 15:52










  • Thats awesome. STUN can used on both tcp and udp. I need to collect wirehark logs. I will start a new question with wireshark log tomorrow.
    – Mystic monk
    Jun 6 at 16:10
















Thanks a lot Doug! That did helped me. It worked for udp! However, TCP packets still I am unable to match. I used 44 (+12 for TCP ) Am I missing something here?
– Mystic monk
Jun 6 at 15:40




Thanks a lot Doug! That did helped me. It worked for udp! However, TCP packets still I am unable to match. I used 44 (+12 for TCP ) Am I missing something here?
– Mystic monk
Jun 6 at 15:40












I only learned about this stuff yesterday, but thought that STUN was only on UDP. I do not know about STUN on TCP. Maybe start a new question for TCP, and include a wireshark screenshot again, and include a reference to this question.
– Doug Smythies
Jun 6 at 15:52




I only learned about this stuff yesterday, but thought that STUN was only on UDP. I do not know about STUN on TCP. Maybe start a new question for TCP, and include a wireshark screenshot again, and include a reference to this question.
– Doug Smythies
Jun 6 at 15:52












Thats awesome. STUN can used on both tcp and udp. I need to collect wirehark logs. I will start a new question with wireshark log tomorrow.
– Mystic monk
Jun 6 at 16:10





Thats awesome. STUN can used on both tcp and udp. I need to collect wirehark logs. I will start a new question with wireshark log tomorrow.
– Mystic monk
Jun 6 at 16:10













 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1043752%2fiptable-matching-rule-for-stun-turn-traffic%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

GRUB: Fatal! inconsistent data read from (0x84) 0+xxxxxx

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite Can anybody help me with this messages at (before) grub starts booting? . . Fatal! inconsistent data read from (0x84) 0+xxxxxx . Fatal! inconsistent data read from (0x84) n+yyyyyy . (hd0,4) This is running in dual boot with windows 7. Both Windows and Ubuntu are running flawlessly, except for this "errors" list. boot grub2 share | improve this question edited Apr 8 at 12:59 Byte Commander 59.4k 26 159 267 asked Apr 8 at 12:56 Viciente 6 1 add a comment  |  up vote 1 down vote favorite Can anybody help me with this messages at (before) grub starts booting? . . Fatal! inconsistent data read from (0x84) 0+xxxxxx . Fatal! inconsistent data read from (0x84) n+yyyyyy . (hd0,4) This is running in dual boot with windows 7. Both Windows and Ubuntu are running flawlessly, except for this "errors" list. boot grub2 share | improve th...
Read more

`kcmshell` modules relation with `/usr/share/applications`

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite A Little Background I am using Plasma V 5.5.5 , Qt V 5.5.1 , Kernel 4.4.0-116 , in a 64Bits OS with Kubuntu 16.04. I like the Phonon GUI to test Right and Left speakers separately, so I said, let's add it to the Favorites panel in the KDE dash: a simple drag and drop would do it. I did it, obtaining the following as a response when clicking the icon in the Favorites Panel: There had to be a workaround, I decided to go to the plasma-org.kde.plasma.desktop-appletsrc file, located at /home/toquica/.config , where I would look for the favoritesApps line (the one starting with [Containments][131][Applets][149][Configuration][General] because I am using the Application Dashboard option for the dash) and I actually found the entry: kcm_phonon.desktop . A Problem to a Solution I then decided to go to /usr/share/applications and create the file kcm_phonon.desktop with some information like: [Desktop Entry] Versio...
Read more

How to enroll fingerprints to Ubuntu 17.10 with VFS491

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
Read more