@ -8,7 +8,7 @@ This set of plugins is designed to let the Linux kernel (or rather netfilter) ha
@@ -8,7 +8,7 @@ This set of plugins is designed to let the Linux kernel (or rather netfilter) ha
## Protocol background and module description
When a TeamSpeak 3 client attempts to connect to a TeamSpeak 3 server, it sends out a "get cookie" packet. The server then replies with a "set cookie" packet. This packet has some secret information about the connection details. The client then response with a "get puzzle" packet. This packet includes the cookie that it got previously. The server now validates this cookie and if its correct it continues with the rest of the connection packets.
This software packages comes with two netfilter match extensions, and two netfilter target extensions which we will discus next. These extensions combined with some other netfilter modules, can take over the initial connection phase for a TeamSpeak 3 server. This makes it possible to prevent any packet that has not been verified to come from the ip address it claims as it's source, to reach the TeamSpeak 3 server.
This software packages comes with two netfilter match extensions, and three netfilter target extensions which we will discus next. These extensions combined with some other netfilter modules, can take over the initial connection phase for a TeamSpeak 3 server. This makes it possible to prevent any packet that has not been verified to come from the ip address it claims as it's source, to reach the TeamSpeak 3 server.
## Match extensions
The first match extensions is called *ts3init_get_cookie*. It matches if the packet in question is a valid TeamSpeak 3 "get cookie" packet from the client. There are additional parameters that can be set:
--min-client n The sending client needs to be at least version.
--check-cookie Check that the cookie was generated by same seed.
--seed <seed>Seed is a 60 byte lowercase hex number in.
--random-seed <seed> Seed is a 60 byte hex number.
A source could be /dev/random.
--seed-file <file> Read the seed from a file.
--random-seed-file <file> Read the seed from a file.
```
The min-client parameter is the same as above. The check-cookie parameter matches if it matches the cookie that was generated in the netfilter target extension ts3init_set_cookie. To match the seed needs to be exactly the same of course. It is possible to check cookies that were generated on a different machine, provided that those machines have the same date and time, and the seem seed specified. In other words: The cookie is created in a deterministic way, depending only on the current time and the seed.
The min-client parameter is the same as above. The check-cookie parameter matches if it matches the cookie that was generated in the netfilter target extension ts3init_set_cookie. To match the seed needs to be exactly the same of course. It is possible to check cookies that were generated on a different machine, provided that those machines have the same date and time, and the same seed specified. In other words: The cookie is created in a deterministic way, depending only on the current time and the seed. If check-cookie is specified, either random-seed or random-seed-file need to be specified too.
## Target extensions
The second target extension is called "TS3INIT_RESET". It takes no parameters. This target drops the packet and sends a "reset" packet back to the sender. The sender should always be the TeamSpeak 3 client. Starting with the TeamSpeak 3.1 client, the client will react to the reset packet by resending the "get cookie" to the server. Older clients do not handle this packet.
Niels Werensteijn
8 years ago