Telex setup: (high level)
NotBlocked ---- Router ----- ..(internet).. --- Client
|
Telex Station
=======================
Overview
=======================
Below is an overview of the different pieces to Telex. You will also need to
read the Installing Telex section to compile/install the various components.
The telex-station-x.x.x.tar.gz should be extracted in your home directory on
both the Router and the Telex Station. The station specific code is in
'station', and the router specific in 'router'. The 'common' directory
contains code used by both.
Telex Station
===
The Telex Station has a tap interface off the router - it gets a copy of
all (interesting/i.e. tcp/443) packets, regardless of what flows are
being blocked in the router. On the Telex Station, you'll run 3 things:
bro
bronnect
service (we chose squid http proxy for our service)
The interface on the Telex station (eth0) should be assigned two IPs - a
public IP used to contact Blocked domains, and a private one used to
communicate to the flow_blocker running on the Router (10.4.0.2)
Our example /etc/networking/interfaces (on Telex Station):
---------------------------
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 141.212.109.159
netmask 255.255.255.0
gateway 141.212.109.1
auto eth0:1
iface eth0:1 inet static
address 10.4.0.2
netmask 255.255.255.0
-------------------------
Router
===
The Router has three interfaces:
eth0 goes to the NotBlocked webserver side
eth1 goes to the Internet/Client side
eth2 is the tap to Telex Station
Our example /etc/networking/interfaces (on Router):
----------------------------
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 141.212.109.158 # set this to whatever public IP you'd like for your router
netmask 255.255.255.0
gateway 141.212.109.1
bridge_ports all
auto br0:0
iface br0:0 inet static
address 10.4.0.1 # used to communicate privately with telex/bronnect (for flow-blocker)
netmask 255.255.255.0
auto eth0
auto eth1
auto eth2
-----------------------------------
on Router, you'll need to run: (by running ./router.sh)
flow_blocker
Client
===
Client connects to Internet (via router to something in Internet, e.g.
notblocked.com). Its SSL client random is generated by the tag code and
telex public key. The Telex Station observes that a particular packet is tagged,
and commands the Router to block the flow.
NotBlocked
===
Notblocked is just a simple web server serving a page over HTTPS. We went with
apache/mod_ssl, as provided by Ubuntu, though anything that will pick
CBC_AES_256_SHA1_DHE as its favorite cipher suite will work (this is the only
cipher suite supported by Telex so far).
=========================
Installing Telex
=========================
Router install:
===
flow-blocker listens to commands from bronnect (running on telex), and
blocks or unblocks flows when commanded.
For flow-blocker to work (fast enough) we had to use ipset and iptables.
We also needed a more recent version of iptables than ubuntu ships with to
support the --TEE option (see router.sh)
sudo apt-get install libevent-dev pkg-config libglib2.0-dev libpcap-dev
update iptables (Ubuntu):
add to /etc/apt/sources.list:
deb http://mirrors.us.kernel.org/ubuntu/ natty main
sudo apt-get install iptables
You may need to compile linux from source to get ipset; I've included our
config file in net/config-2.6.35.10 (may or may not be useful to you)
#compile flow_blocker:
cd ~/telex-station/router/flow-blocker/
make flow_blocker
# optionally fix router.fw, our firewall rules that get loaded.
# (I stripped out most of our deployment specific ones.)
# update router.sh to have correct public IP for telex
# and fix paths if needed.
Client install:
===
See https://telex.cc/software.html
Telex Station install:
===
linux module:
We needed a linux module to allow bronnect to spoof a TCP connection
mid-stream. For example, we patiently watch the SYN/SYN-ACK/ACK handshake,
then some data, then we block the connection and want to be able to call
send/recv on a socket and have it inject packets with correct seq/ack numbers
in that connection.
See linuxmod/SETUP and NOTES for more information on installing that
(you'll need to compile linux from source).
build tag:
sudo apt-get install cmake libgmp3-dev
cd ~/telex-station/tag/ && make tag.o
build bro:
sudo apt-get install libpcap-dev libncurses5-dev bison flex python-dev
cd ~/telex-station/bro-1.5.1/ && ./configure
make && sudo make install
build bronnect:
sudo apt-get install libevent-dev libglib2.0-dev
cd /home/ewust/telex/net/
make bronnect
sudo make install
===============================================
Telex setup: (how to run/where to run it)
===============================================
NotBlocked
===
TLS webserver (make sure it supports AES_256_CBC_DHE_RSA_SHA1)
Router
===
cd ~/telex-station/router/net/
sudo ./router.sh
Telex Station
===
- run service on telex (must be listening before bro/bronnect start/get first connection):
e.g. squid http proxy
- run bro/bronnect on telex:
# make sure you update run_bro_remote.sh before running this.
# you'll need to set it to use your mac address - see comments in run_bro_remote.sh
sudo ~/telex-station/run_telex.sh # may need to update paths to binaries
- note: make sure brohome dir has privkeys in it
Generate privkey and corresponding pubkey in the tag folder
cd ~/telex-station/station/tag/
make genkeys
./genkeys #will create pubkey and privkey. give pubkey to the telex-client.
To generate a privkeys from privkey (telex currently supports multiple private keys,
to differentiate multiple services) simply run (from tag folder)
./package_keys.py ./priveky 3128 > ../brohome/privkeys
# note: 3128 is the default port that the squid http proxy listens on.
Client
====
# see documentation for more options if needed;
./telex-client notblocked.telex.cc
# now you should be able to use localhost:8888 as an HTTP proxy on your client .
from https://github.com/ewust/telex/tree/master/telex-station
https://github.com/ewust/telex
No comments:
Post a Comment