Linux: The hole trick to bypass firewall restriction

by on December 15, 2006 · 10 comments· LAST UPDATED December 15, 2006

in , ,

Have you ever wondered how P2P software like Skype directly exchanges data when both client desktop sitting behind a firewall that only permits outgoing traffic.

This article explains how Skype & Co. get round firewalls using the hole trick. From the article:
Peer-to-peer software applications are a network administrator's nightmare. In order to be able to exchange packets with their counterpart as directly as possible they use subtle tricks to punch holes in firewalls, which shouldn't actually be letting in packets from the outside world.

This is a good article and a good idea carried out by Skype. This is not exactly a new concept (just search for NAT2NAT using google and you will get more information about this hack). Author has doen good job explaining the whole concept in clear language.

How do I bypass Linux firewall restriction?

This article also covers DIY hole punching using standard hping2 and nc (netcat) tools under Linux. From the article:
Firstly start a UDP listener on UDP port 14141 on the local/1 console behind the firewall:
local/1# nc -u -l -p 14141
An external computer "remote" then attempts to contact it.
remote# echo "hello" | nc -p 53 -u local-fw 14141
However, as expected nothing is received on local/1 and, thanks to the firewall, nothing is returned to remote. Now on a second console, local/2, hping2, our universal tool for generating IP packets, punches a hole in the firewall:
local/2# hping2 -c 1 -2 -s 14141 -p 53 remote
As long as remote is behaving itself, it will send back a "port unreachable" response via ICMP - however this is of no consequence. On the second attempt
remote# echo "hello" | nc -p 53 -u local-fw 14141
The netcat listener on console local/1 then coughs up a "hello" - the UDP packet from outside has passed through the firewall and arrived at the computer behind it.

Right now there is no perfect solution exists, if you are using Linux based firewall to avoid abuse.

Read more at Know-how: The hole trick - How Skype & Co. get round firewalls

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 10 comments… read them below or add one }

1 port25 December 15, 2006 at 8:46 pm

Hey great find and thanks for pointing out article.

The only way to prevent this is to block UDP entirely using iptables since UDP is connectionless, a stateful iptables firewall will not able to block anything. This is a great hack, IMPO.

PS: I am reading your blog since last one year but this is first time I am writing a comment :)

Reply

2 nixCraft December 22, 2006 at 7:33 am

Thanks for comment :)

Reply

3 umar November 6, 2007 at 10:24 am

i am windows vista 32 how can i try your trick
thanks in advance

Reply

4 nixCraft November 6, 2007 at 1:25 pm

umar,

This Linux specific tip.

Reply

5 saga December 27, 2008 at 2:47 pm

Hi,
Blocking connect access to numerical ip addresses blocks skype and ultrasurf :(
look at the squid acl’s below and try for yourself

acl num_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

http_access deny CONNECT num_IPs all

please notify me if i could get around this.

Reply

6 cyberking.vb November 9, 2009 at 6:03 pm

hey bro, i need your help,

in most of the mobile networks the udp ports are free… means i can browse free using udp.. i am currently using your-freedom to connect me through udp. but there is nonly limited bandwidth provided by the your-freedom… can u pls tell me a way to tunnel through udp without your-freedom.. send me email..

Reply

7 funtikar January 9, 2010 at 1:51 am

im exactly in the exact situation as the guy above me(cyberking)…im currently using this commrcial sw namely yourfreedom to tunnel http over udp through the yf udp server..but as cyberking said the bandwidth is quite limited…

Reply

8 Reynold December 13, 2011 at 11:08 am

Thanks for the article :)

Reply

9 bubba December 31, 2012 at 4:35 am

I was wondering if this was ever fixed? This article is dated 2006. Thanks.

Reply

10 blah d blah April 8, 2013 at 8:10 pm

Then why does Skype need to get permission from my firewall (Zone Alarm) ?

Reply

Leave a Comment

Previous post:

Next post: