Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
#on the server
#route traffic to the IP through the tun interface
route add -host 10.1.2.3 dev tun0
#idea may need to rout to tun ip endpoint, note that both are sent through
tunnel...
route add -host 10.1.2.3 gw 10.129.129.1
#on the client
#DEST NAT traffic to that IP to the PIN_IP:PIN_PORT
#note: it should be possible to leave out the protocol option
iptables -t nat -A PREROUTING -p tcp -d 10.1.2.3 -j DNAT --to ${PIN_IP}
#note: don't forget to masq output to FT's LAN IP
# this step seems to work for inbound requests, but might be what is breaking
initial outbound connections from the PIN_IP. e.g. 192.168.1.128
# on 2.6 kernels/margarita
iptables -t nat -A POSTROUTING -o eth1 -s 10.129.66.1 -j SNAT --to-source
192.168.1.12
# on 2.4 FT(s)
iptables -t nat -A POSTROUTING -p tcp -s 10.129.66.1 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp -s 10.129.66.1 -j MASQUERADE
# iptables -t nat -A POSTROUTING -p udp -s 10.129.66.1 -o br0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -p tcp -s 10.129.66.1 -o br0 -j MASQUERADE
# example of outbound
client based rule
# iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.128 -o tun0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -p udp -s 192.168.1.128 -o tun0 -j MASQUERADE
#make sure the traffic isn't dropped by any other firewall rules
#TODO add interface or src criteria to rule to further lock down
iptables -t filter -I FORWARD 1 -d 192.168.1.128 -j ACCEPT
Access to FT local interface, from the proxy server
# on 2.6 kernels/margarita
iptables -t filter -I RH-Firewall-1-INPUT 1 -s 10.129.66.1 -j ACCEPT
# on 2.4 FT(s)
iptables -t filter -I INPUT 1 -s 10.129.66.1 -j ACCEPT
#the following is an alternative strategy that doesn't work yet
route add -host 10.1.2.1 gw 10.129.129.1
# on the FT
# this rule is not getting any packets, even without the -i tun0 option
iptables -t filter -I INPUT -i tun0 -s 10.129.66.1 -d 127.0.0.1 -j ACCEPT
#this rule is being applied, but packet lost
iptables -t nat -A PREROUTING -d 10.1.2.1 -j DNAT --to 127.0.0.1
#this rule doesn't quite work yet either
iptables -t nat -A PREROUTING -d 10.1.2.1 -j REDIRECT