Scribd Logo
Upload

Welcome to Scribd!

  • iptables masquerading and firewalling

    Uploaded by

    kwag
    70 views7 pages
    IP Masquerading (NAT) Using Iptables

    Original Title

    IP Masquerading (NAT) Using Iptables

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IP Masquerading (NAT) Using Iptables

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    70 views7 pages

    iptables masquerading and firewalling

    Uploaded by

    kwag
    IP Masquerading (NAT) Using Iptables

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Home

    CV
    CV
    (hebrew)
    FPGA
    Editor
    Free
    software
    Lectures

    IPMasqueradingusingiptables
    1Talksoutline
    iptables versusipchains
    Thegoal(or:mygoal)
    Thepacketswaythroughiptables
    Classicmasquerading(SNAT)
    DNSfaking(withDNAT)
    Otherthings

    Perlilog

    Firewallingwithiptables (Ifwehavetime)

    Eobj

    QuestionsIllhopefullyanswer

    frandom
    cdepend
    hitec
    (LaTeX)

    Notcovered:packetmangling(changeTOS,TTLandflags)

    2Differencesbetweeniptables andipchains
    Sameauthor(RustyRussell),andbasicallysmellsthesame

    easyspec

    Mostimportant:FORWARDtakenapartfromINPUTandOUTPUT

    peakdet

    Changesinsyntax

    FIFOtricks
    CDCE906

    Masquradingishandledseparately

    3ipchains andiptables dontlivetogether

    Optical
    simulator

    Iftheipchains moduleisresidentinthekernel,iptables wontinsmod

    HTML
    highlighting

    Typicalerrormessageismisleading:Nokernelsupport

    Hobbies
    Techblog

    Andviceversa
    RedHat7.3bootsupwithipchains asdefault

    4WhatIwantedinthefirstplace

    5Requirements
    Windowscomputershouldhaveagateway
    DNSissuesolvedelegantly
    Bothcomputershaveaccesstonetworkatthesametime
    Networkbetweencomputersistrustful
    Properfirewalling
    ADSLmodemisconsideredhostile

    6iptables:TheIPpacketsflow

    7iptables:Howtoswallowthis
    Packetfiltering(firewalls)andmanipulation(masquerading)areneighbours
    Therefore,thesametoolsareused
    Thinkroutingtables
    Chains:Thinksubroutines
    Eachchainisterminatedwithatarget,ornextlinetaken
    Subchainsworkexactlylikesubroutines
    Tables:Groupofchains:filter andnat
    Eachchainhasapolicythedefaulttarget

    8WhatisMasquerading?
    AllcomputersappeartohavethesameIP
    ThisisdonewithNetworkAdressTranslation
    Itseasytofaketheoutgoingpacket
    Incomingpacketsmustbetranslatedtoo
    Porttranslationamust

    9iptables:TheIPpacketsflow

    10SourceNetworkAddressTranslation(SNAT)
    OnADSL:catchpacketsgoingoutonppp0
    ThesourceIPischanged
    Sourceportnumbersmaybechanged
    Easiestrule:DoSNATonallpacketsgoingoutonppp0
    WillincludeOUTPUTpacketsbyaccident,butwhocares?
    Remember:EverySNATproducesanimplicitDNAT
    Andviceversa

    11Incomingpackets
    Theproblem:Whereshouldthepacketgo?
    SimpleTCPconnection:iptables rememberstheportnumbers
    UDP:Tricky
    DNS:Returntheanswertowhoeverasked
    ICMP:Pinganswersgotherightway(!)
    FTP,ICQandfriends:Requiresspecialtreatment(theyworkformeasabasicclient)
    Whentheothersideopensaconnection,thathastobetreatedspecially
    iptables hasapplicationbasedmodules

    12DefiningSNATiptables commands
    Thestrictway:
    iptables-tnat-APOSTROUTING-oppp0-jSNAT\
    --to$PPPIP
    Theliberalway:

    iptables-tnat-APOSTROUTING-oppp0-jMASQUERADE
    Theliberalformisbetterfortemporaryconnections:
    MASQUERADEautomaticallychoosesaddress
    MASQUERADEforgetsoldconnectionswheninterfacegoesdown
    Fordialup,cablemodemsandADSL:MASQUERADEwins

    13POSTROUTE isjustanotherchain
    Selectiverulescanbeused
    Differentmanipulationsarepossible
    Use-jACCEPTtoletthepacketthroughuntouched

    14Thewrongwaytomasquerade
    iptables-tnat-APOSTROUTING-jMASQUERADE
    Thismakesmasqueradingthedefaultpolicyforanyoutgoingpacket
    ...includinganyforwardedpacket.
    Allforwardedpacketswillappeartocomefromthemasqueradinghost.
    Mayconfusefirewalls
    Evenworse,mayconfuseserviceapplicationstocompromisesecurity

    15Masqueradingandfirewalling
    Theinternalcomputersareimplicitlyfirewalled
    Themaincomputergetsalltheunrelatedpackets
    Maincomputermustbeprotected
    MaincomputerprotectedwithINPUTandOUTPUTchains
    OthercomputersprotectedwithFORWARDchains
    NotethatFORWARDchainsalsoapplytotheintranetconnection

    16DNSfakingwithDNAT
    TheothercomputershaveconstantDNSaddresses
    TheaddressistranslatedwithDNAT
    iptables-tnat-APREROUTING-d10.2.0.1\
    -jDNAT--to-destination192.115.106.31
    iptables-tnat-APREROUTING-d10.2.0.2\
    -jDNAT--to-destination192.115.106.35

    17AutomaticDNSDNATsetup
    InanADSLconnection,theDNSaddressesaregivenonconnection
    Anip-up.local scriptwritestheseaddressesintheresolv.conf file
    DNScount=1
    fornameserverin\
    `perl-nle"/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i&&\
    (\\$1=~/^127/||print\\$1)"/etc/resolv.conf`;
    doiptables-tnat-APREROUTING-d10.2.0.$DNScount\
    -jDNAT--to-destination$nameserver

    letDNScount=DNScount+1;
    done;
    Theperlstatementaboveextractsthetwoaddresses

    18TheMTUontheWindowscomputer
    ADSLpppconnectionhasMTUof1452
    NormalEthernethasMTU1500
    WindowscomputerdoesntknowitgoesthroughADSL
    Fragmentation
    FixedbyaddinganentryinWindowsregistry

    19Othertricks
    Serveronmasqueradedhost(DNAT)
    Portremapping(redirection)
    Loadbalancing(OnetomanyforwardDNAT)
    Packetmangling

    20Thefilter chains
    INPUT,OUTPUTandFORWARD
    TargetswithACCEPT,DROP,REJECTorQUEUE
    Asetofselectiverulesmakesafirewall

    21Example:Afirewall
    Closeeverythingandflushchains
    iptables-PINPUTDROP
    iptables-POUTPUTDROP
    iptables-PFORWARDDROP
    iptables-F-tnat
    iptables-F-tfilter
    iptables-X

    22Example:Afirewall(cont.)
    Alloweverythingonloopbackinterface
    iptables-AINPUT-ilo-jACCEPT
    iptables-AOUTPUT-olo-jACCEPT

    23Example:Afirewall(cont.)
    KeepADSLmodemshort
    iptables-AINPUT-ieth1-s10.0.0.138/32\
    -d10.0.0.0/8-ptcp\
    --sport1723-mstate\
    --stateESTABLISHED,RELATED-jACCEPT
    iptables-AINPUT-ieth1-s10.0.0.138/32\
    -d10.0.0.0/8-pgre-jACCEPT
    iptables-AINPUT-ieth1-jDROP
    iptables-AOUTPUT-oeth1-s10.0.0.0/8\
    -d10.0.0.138/32-ptcp--dport1723\

    -jACCEPT
    iptables-AOUTPUT-oeth1-s10.0.0.0/8\
    -d10.0.0.138/32-pgre-jACCEPT
    iptables-AOUTPUT-oeth1-jDROP

    24Example:Afirewall(cont.)
    Linuxcomputerwithnetworkrules:
    iptables-AOUTPUT-oppp0-s$PPPIP-jACCEPT
    iptables-AINPUT-s!10.128.0.0/16-ptcp\
    --dport0:1023-jDROP
    iptables-AINPUT-ippp0-d$PPPIP-mstate\
    --stateESTABLISHED,RELATED-jACCEPT

    25Example:Afirewall(cont.)
    Everythingisallowedoninternalnetwork
    iptables-AINPUT-s10.128.0.0/16\
    -d10.128.0.0/16-jACCEPT
    iptables-AOUTPUT-s10.128.0.0/16\
    -d10.128.0.0/16-jACCEPT

    26Example:Afirewall(cont.)
    Forwarding....
    iptables-AFORWARD-ippp0-oeth0-mstate\
    --stateESTABLISHED,RELATED-jACCEPT
    iptables-AFORWARD-ieth0-oppp0-jACCEPT
    iptables-AFORWARD-jDROP
    Notethatthereisnoforwardingininternalnetwork

    27iptables scriptfinale
    MakesurethatthemainchainsendwithDROP
    Zerocounters
    iptables-AINPUT-jDROP
    iptables-AOUTPUT-jDROP
    iptables-AFORWARD-jDROP
    iptables-Z

    28Summary
    Itworksreallywell
    Itsnotdifficulttosetupifyouknowwhatyouredoing

    29References
    LinuxIPMasqueradeHOWTO(aversionwritteninJan2003isavailable)
    man iptables
    LastmodifiedonThuMay1717:30:002012.Email:sendtome@billauer.co.il

    You might also like