In this article, we discuss new additions to the routing functions family. We will show how to configure IPv6 routing; how to use IP routing to forward all blocked traffic to a containerized web server; and introduce the new --route-file flag that greatly improves management of long routing lists.
As an example, we will show how to use all these new features to create a custom browser designed to access a single website.
As we learned in the previous installments, IP based routing can be declared with following syntax:
turbo new --route-add=ip://192.168.198.1:192.168.198.2
The colons in IPv6 addresses causes conflicts with this syntax. To solve this, IPv6 addresses in Turbo commands are enclosed in square brackets.
For example, to block the localhost address, use the command:
turbo new putty --route-block=ip://[::1]
To block all IP traffic except the link local IPv6 space:
turbo new putty --route-block=ip --route-add=ip://[fe80::c218:85ff:febd:5c01/64]
Notice we can use the CIDR notation to specify a range of addresses.
To redirect traffic from a specific IPv6 address to localhost:
turbo new putty --route-block=ip --route-add=ip://[2001:cdba::3257:9652]:[::1]
While working with long routing lists (eg to block advertising or other undesired sites) it is inconvenient to add many --route-block and --route-add switches to command line or TurboScript file. To simplify this, we have introduced the --route-file flag.
The routing file has a simple INI-style syntax:
The header contains the definition for how the below addresses should be interpreted. Supported protocols are ip, tcp, and udp and supported actions are add and block
To block/unblock all IP addresses we can use the 0.0.0.0 literal or *.
For example, a routing file that blocks all IP traffic except turbo.net/spoon.net addresses:
[ip-block] * [ip-add] *.turbo.net *.spoon.net
The route file can be used with all other container management commands. For example:
turbo try firefox --route-file=routes.txt --name=turbo-firefox
It can also be used during commit to persist routing settings into an image:
turbo new firefox --name=fx turbo commit fx turbo-firefox –route-file=routes.txt
Or can be included in a TurboScript build command:
turbo build turbo.me --route-file=routes.txt
Blocked site rerouting
IP routing can also be used to reroute traffic from blocked sites to an internal network. As an example, we will reroute all traffic from nytimes.com to an internal containerized web server.
First, we run a preconfigured Apache server that binds to local port 80:
turbo new pgalisz/internal-server --detach
Next, we run firefox with rerouting enabled:
turbo new firefox --route-add=ip://*.nytimes.com:127.0.0.1 # reroute traffic to local web server
After typing nytimes.com in browser it shows our custom page, instead of original site:
Sample: Creating custom, single site browsers
Turbo’s IP routing capabilities can be used to create custom browsers that allow access only to a specific site or set of sites. A simple solution was shown in previous articles, eg:
turbo new firefox --route-block=ip --route-add=ip://*.turbo.com --route-add=ip://*.spoon.com
The above command works for simpler websites, but more advanced websites use resources from multiple external sources. We need to allow access to those external sites for the site to load properly.
To simplify the process of creating a routing file for this scenario, we have published a PowerShell script to help. In this example we will show how to obtain this script and use it to create a forbes.com limited browser.
First, download the script from turboapps repository: route-file-builder.ps1
Example script usage:
Route-file-builder.ps1 -urls “http://turbo.net” Route-file-builder.ps1 -urls (“http://turbo.net”, “http://spoon.net”) -routeFile c:\path\to\routes.txt
When the -routeFile flag is not passed, output is printed to the console.
The script runs the container in the background with a fully blocked network and iteratively unblocks hosts that the website tries to connect to.
Let’s run it for forbes.com:
PS C:\s> .\route-file-builder.ps1 -urls forbes.com -routeFile c:\s\forbes-routes.txt Security warning Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\s\route-file-builder.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R Running browser... Did everything work correctly? (y/n):
In every iteration, the script opens firefox to the forbes.com site. After closing the browser it asks the user if the site was displayed correctly.
In the first iteration firefox is not displaying anything, so we choose n
Running browser... Did everything work correctly? (y/n): n Running browser... Did everything work correctly? (y/n): n Running browser… Did everything work correctly? (y/n): y
After the fourth iteration the site is displayed correctly. Now we answer yes and script ends.
Now we can open the forbes-routes.txt file and check all the unblocked hosts:
[ip-add] *.forbes.com 127.0.0.1 tiles.r53-2.services.mozilla.com tiles.services.mozilla.com location.services.mozilla.com i.forbesimg.com a1586.g1.akamai.net self-repair.mozilla.org shavar.services.mozilla.com shavar.prod.mozaws.net aus5.mozilla.org aus5.external.zlb.scl3.mozilla.com safebrowsing.google.com sb.l.google.com services.addons.mozilla.org olympia.prod.mozaws.net versioncheck-bg.addons.mozilla.org blocklist.addons.mozilla.org ocsp.digicert.com search.services.mozilla.com tiles-cloudfront.cdn.mozilla.net www.googletagmanager.com b.scorecardresearch.com stats.g.doubleclick.net tags.bluekai.com consent.truste.com contextual.media.net rt.liftdna.com www.googletagservices.com cs9.wac.phicdn.net tracking-protection.cdn.mozilla.net connect.facebook.net content.dl-rms.com h.nexac.com forbescount.xmlshop.biz a1.vdna-assets.com ml314.com load.amexp.exelator.com ox-d.forbesbidder.servedbyopenx.com partnerad.l.doubleclick.net us-ads.openx.net ib.adnxs.com ssum.casalemedia.com medianet-d.openx.net qsearch.media.net [ip-block] 0.0.0.0
As an additional step, it is possible to manually cleanup the list (eg remove the Mozilla sites) and prepare a minimal working configuration.
The routing data can later be committed into a new image with turbo commit --route-file command.