Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] ICMP packets escapes proxy #361

Open
2 tasks done
balki opened this issue Apr 30, 2024 · 2 comments
Open
2 tasks done

[Bug] ICMP packets escapes proxy #361

balki opened this issue Apr 30, 2024 · 2 comments

Comments

@balki
Copy link

balki commented Apr 30, 2024

Verify steps

  • Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
  • I have searched on the issue tracker for a related issue.

Version

latest

What OS are you seeing the problem on?

Linux

Description

Started tun2socks using below command

tun2socks -device tun0 -proxy socks5:///run/tor/socks

And moved the device to a network namespace.

ip netns add torns
ip link set tun0 netns torns
ip -n torns addr add 198.19.0.1/15 dev tun0
ip -n torns link set dev tun0 up
ip -n torns route add default via 198.19.0.1 dev tun0 metric 100

Inside the namespace, all request go through tun0 and then via socks proxy on the unix socket. Everything works as expected except for ping.

ping should either not work or go through proxy. But instead goes through host's default network stack. I am able to ping devices in local network.

CLI or Config

No response

Logs

No response

How to Reproduce

Create network namespace as shown above and start a shell in the namespace.

sudo systemd-run --property=NetworkNamespacePath=/run/netns/torns --property=User=$USER --pty --same-dir --wait --collect zsh

ping a local resource. It should not be able to ping.

❯ ping -c3 192.168.XX.YY
PING 192.168.XX.YY (192.168.XX.YY) 56(84) bytes of data.
64 bytes from 192.168.XX.YY: icmp_seq=1 ttl=64 time=0.257 ms
64 bytes from 192.168.XX.YY: icmp_seq=2 ttl=64 time=0.270 ms
64 bytes from 192.168.XX.YY: icmp_seq=3 ttl=64 time=0.267 ms

Other requests work just fine.

❯ curl --resolve check.torproject.org:443:116.202.120.181 -sL https://check.torproject.org | grep -A5 'Congratula'  | tail   
  <link rel="icon" type="image/x-icon" href="/torcheck/img/tor-not.png" />
  <style>
    html { height: 100%; }
--
      Congratulations. This browser is configured to use Tor.
    
  </h1>
  <p>Your IP address appears to be:  <strong>109.70.100.2</strong></p>
@xjasonlyu
Copy link
Owner

Yes, this is expected. All ping requests will be responded immediately by tun2socks' netstack.

@balki
Copy link
Author

balki commented May 1, 2024

Thank you! Is it possible to provide a cli flag to disable ICMP?

As a workaround, If I set NoNewPrivileges=yes when starting the shell, ping does not work but regular connections work. But it would be good if it is blocked in the interface level.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@balki @xjasonlyu