I’ve just been playing with icmptx, a system for tunneling IP over ICMP Echo which could be handy if I ever find myself blocked by firewalls. Unfortunately the documentation is lacking. Below is a sample configuration that works for me, all you have to do is to put the correct IP address in for SERVERIP in both scripts and it should work. I’m not sure what the ideal value for the MTU is, 65535 is the largest possible. For transmission it usually won’t make any difference as the occasions when I need such things will usually be download-only sessions and the ACK packets will be quite small. For receiving data the server has an MTU of 1500 on the Ethernet port so nothing bigger than that will come in. Presumably when downloading data the packets will be transmitted in two ICMP fragments.
One interesting feature of the program is that it doesn’t match requests and replies. I presume this is because any firewall that only allows one reply per echo request will probably ensure that the reply contents match the request contents, so they just assume that a firewall will let all ICMP echo/reply traffic through. The upside of this is that it should give lower round trip times than any tunneling system that polls for return data.
I’ve filed some Debian bug reports about it, bug #609413 is a request for it to set icmp_echo_ignore_all when it’s running and also emulate the regular PING functionality. Bug #609412 is a request for it to assign the IP address to the tun0 interface. Bug #609414 is a request for the server side of it to call daemon(0,0).
I won’t leave this running. Having to run a virtual server with the regular ICMP functionality disabled is too much effort for the small benefit that using ICMP tunneling may offer over DNS tunneling.
My configuration scripts (with the IP address removed) are below.
Configuration
Server
#!/bin/sh
set -e
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
icmptx -s SERVERIP &
sleep 0.5
ifconfig tun0 mtu 65535 10.10.10.1 netmask 255.255.255.0
Client
#!/bin/sh
set -e
killall icmptx || true
icmptx -c SERVERIP &
sleep 0.5
ifconfig tun0 mtu 65535 10.10.10.2 netmask 255.255.255.0
wait
nice article. tried the software and it actually works, a little slow if opening many connections but that is expected with tcp-in-tcp tunnelling.
just an information, what software are you using for DNS tunnelling?
thanks
uovobw: I believe that icmptx is buggy in terms of performance. It’s NOT doing TCP-in-TCP tunneling, it’s TCP in ICMP which is identical to IP in UDP in terms of packet loss etc.
For DNS tunneling I use iodine.