IP Routing in Turbo Containers III

In our previous articles IP Routing in Turbo Containers and IP Routing in Turbo Containers II , we introduced host and IP routing features in Turbo containers.

In this article, we discuss new additions to the routing functions family. We will show how to configure IPv6 routing; how to use IP routing to forward all blocked traffic to a containerized web server; and introduce the new --route-file flag that greatly improves management of long routing lists.

As an example, we will show how to use all these new features to create a custom browser designed to access a single website.

IPv6 routing

As we learned in the previous installments, IP based routing can be declared with following syntax:

turbo new --route-add=ip://192.168.198.1:192.168.198.2

The colons in IPv6 addresses causes conflicts with this syntax. To solve this, IPv6 addresses in Turbo commands are enclosed in square brackets.

For example, to block the localhost address, use the command:

turbo new putty --route-block=ip://[::1]

To block all IP traffic except the link local IPv6 space:

turbo new putty --route-block=ip --route-add=ip://[fe80::c218:85ff:febd:5c01/64]

Notice we can use the CIDR notation to specify a range of addresses.

To redirect traffic from a specific IPv6 address to localhost:

turbo new putty --route-block=ip --route-add=ip://[2001:cdba::3257:9652]:[::1]

Routing files

While working with long routing lists (eg to block advertising or other undesired sites) it is inconvenient to add many --route-block and --route-add switches to command line or TurboScript file. To simplify this, we have introduced the --route-file flag.

The routing file has a simple INI-style syntax:

[<protocol-action>]
Host-address

The header contains the definition for how the below addresses should be interpreted. Supported protocols are ip, tcp, and udp and supported actions are add and block

To block/unblock all IP addresses we can use the 0.0.0.0 literal or *.

For example, a routing file that blocks all IP traffic except turbo.net/spoon.net addresses:

[ip-block]
*
[ip-add]
*.turbo.net
*.spoon.net

The route file can be used with all other container management commands. For example:

turbo try firefox --route-file=routes.txt --name=turbo-firefox

It can also be used during commit to persist routing settings into an image:

turbo new firefox --name=fx
turbo commit fx turbo-firefox –route-file=routes.txt

Or can be included in a TurboScript build command:

turbo build turbo.me --route-file=routes.txt

Blocked site rerouting

IP routing can also be used to reroute traffic from blocked sites to an internal network. As an example, we will reroute all traffic from nytimes.com to an internal containerized web server.

First, we run a preconfigured Apache server that binds to local port 80:

turbo new pgalisz/internal-server --detach

Next, we run firefox with rerouting enabled:

turbo new firefox --route-add=ip://*.nytimes.com:127.0.0.1 # reroute traffic to local web server

After typing nytimes.com in browser it shows our custom page, instead of original site:

grumpycat

Sample: Creating custom, single site browsers

Turbo’s IP routing capabilities can be used to create custom browsers that allow access only to a specific site or set of sites. A simple solution was shown in previous articles, eg:

turbo new firefox --route-block=ip --route-add=ip://*.turbo.com --route-add=ip://*.spoon.com

The above command works for simpler websites, but more advanced websites use resources from multiple external sources. We need to allow access to those external sites for the site to load properly.

To simplify the process of creating a routing file for this scenario, we have published a PowerShell script to help. In this example we will show how to obtain this script and use it to create a forbes.com limited browser.

First, download the script from turboapps repository: route-file-builder.ps1

Example script usage:

Route-file-builder.ps1 -urls “http://turbo.net”
Route-file-builder.ps1 -urls (“http://turbo.net”, “http://spoon.net”) -routeFile c:\path\to\routes.txt

When the -routeFile flag is not passed, output is printed to the console.

The script runs the container in the background with a fully blocked network and iteratively unblocks hosts that the website tries to connect to.

Let’s run it for forbes.com:

PS C:\s> .\route-file-builder.ps1 -urls forbes.com -routeFile c:\s\forbes-routes.txt
Security warning
Run only scripts that you trust. While scripts from the Internet can be useful,
this script can potentially harm your computer. If you trust this script, use
the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\s\route-file-builder.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
Running browser...
Did everything work correctly? (y/n):

In every iteration, the script opens firefox to the forbes.com site. After closing the browser it asks the user if the site was displayed correctly.

forbes1

In the first iteration firefox is not displaying anything, so we choose n

Running browser...
Did everything work correctly? (y/n): n
Running browser...
Did everything work correctly? (y/n): n
Running browser…
Did everything work correctly? (y/n): y
PS C:\s>

After the fourth iteration the site is displayed correctly. Now we answer yes and script ends.

forbes2

Now we can open the forbes-routes.txt file and check all the unblocked hosts:

[ip-add]
*.forbes.com
127.0.0.1
tiles.r53-2.services.mozilla.com
tiles.services.mozilla.com
location.services.mozilla.com
i.forbesimg.com
a1586.g1.akamai.net
self-repair.mozilla.org
shavar.services.mozilla.com
shavar.prod.mozaws.net
aus5.mozilla.org
aus5.external.zlb.scl3.mozilla.com
safebrowsing.google.com
sb.l.google.com
services.addons.mozilla.org
olympia.prod.mozaws.net
versioncheck-bg.addons.mozilla.org
blocklist.addons.mozilla.org
ocsp.digicert.com
search.services.mozilla.com
tiles-cloudfront.cdn.mozilla.net
www.googletagmanager.com
b.scorecardresearch.com
stats.g.doubleclick.net
tags.bluekai.com
consent.truste.com
contextual.media.net
rt.liftdna.com
www.googletagservices.com
cs9.wac.phicdn.net
tracking-protection.cdn.mozilla.net
connect.facebook.net
content.dl-rms.com
h.nexac.com
forbescount.xmlshop.biz
a1.vdna-assets.com
ml314.com
load.amexp.exelator.com
ox-d.forbesbidder.servedbyopenx.com
partnerad.l.doubleclick.net
us-ads.openx.net
ib.adnxs.com
ssum.casalemedia.com
medianet-d.openx.net
qsearch.media.net
[ip-block]
0.0.0.0

As an additional step, it is possible to manually cleanup the list (eg remove the Mozilla sites) and prepare a minimal working configuration.

The routing data can later be committed into a new image with turbo commit --route-file command.