Professional Documents
Culture Documents
CV
CV
(hebrew)
FPGA
Editor
Free
software
Lectures
IPMasqueradingusingiptables
1Talksoutline
iptables versusipchains
Thegoal(or:mygoal)
Thepacketswaythroughiptables
Classicmasquerading(SNAT)
DNSfaking(withDNAT)
Otherthings
Perlilog
Firewallingwithiptables (Ifwehavetime)
Eobj
QuestionsIllhopefullyanswer
frandom
cdepend
hitec
(LaTeX)
Notcovered:packetmangling(changeTOS,TTLandflags)
2Differencesbetweeniptables andipchains
Sameauthor(RustyRussell),andbasicallysmellsthesame
easyspec
Mostimportant:FORWARDtakenapartfromINPUTandOUTPUT
peakdet
Changesinsyntax
FIFOtricks
CDCE906
Masquradingishandledseparately
Optical
simulator
HTML
highlighting
Typicalerrormessageismisleading:Nokernelsupport
Hobbies
Techblog
Andviceversa
RedHat7.3bootsupwithipchains asdefault
4WhatIwantedinthefirstplace
5Requirements
Windowscomputershouldhaveagateway
DNSissuesolvedelegantly
Bothcomputershaveaccesstonetworkatthesametime
Networkbetweencomputersistrustful
Properfirewalling
ADSLmodemisconsideredhostile
6iptables:TheIPpacketsflow
7iptables:Howtoswallowthis
Packetfiltering(firewalls)andmanipulation(masquerading)areneighbours
Therefore,thesametoolsareused
Thinkroutingtables
Chains:Thinksubroutines
Eachchainisterminatedwithatarget,ornextlinetaken
Subchainsworkexactlylikesubroutines
Tables:Groupofchains:filter andnat
Eachchainhasapolicythedefaulttarget
8WhatisMasquerading?
AllcomputersappeartohavethesameIP
ThisisdonewithNetworkAdressTranslation
Itseasytofaketheoutgoingpacket
Incomingpacketsmustbetranslatedtoo
Porttranslationamust
9iptables:TheIPpacketsflow
10SourceNetworkAddressTranslation(SNAT)
OnADSL:catchpacketsgoingoutonppp0
ThesourceIPischanged
Sourceportnumbersmaybechanged
Easiestrule:DoSNATonallpacketsgoingoutonppp0
WillincludeOUTPUTpacketsbyaccident,butwhocares?
Remember:EverySNATproducesanimplicitDNAT
Andviceversa
11Incomingpackets
Theproblem:Whereshouldthepacketgo?
SimpleTCPconnection:iptables rememberstheportnumbers
UDP:Tricky
DNS:Returntheanswertowhoeverasked
ICMP:Pinganswersgotherightway(!)
FTP,ICQandfriends:Requiresspecialtreatment(theyworkformeasabasicclient)
Whentheothersideopensaconnection,thathastobetreatedspecially
iptables hasapplicationbasedmodules
12DefiningSNATiptables commands
Thestrictway:
iptables-tnat-APOSTROUTING-oppp0-jSNAT\
--to$PPPIP
Theliberalway:
iptables-tnat-APOSTROUTING-oppp0-jMASQUERADE
Theliberalformisbetterfortemporaryconnections:
MASQUERADEautomaticallychoosesaddress
MASQUERADEforgetsoldconnectionswheninterfacegoesdown
Fordialup,cablemodemsandADSL:MASQUERADEwins
13POSTROUTE isjustanotherchain
Selectiverulescanbeused
Differentmanipulationsarepossible
Use-jACCEPTtoletthepacketthroughuntouched
14Thewrongwaytomasquerade
iptables-tnat-APOSTROUTING-jMASQUERADE
Thismakesmasqueradingthedefaultpolicyforanyoutgoingpacket
...includinganyforwardedpacket.
Allforwardedpacketswillappeartocomefromthemasqueradinghost.
Mayconfusefirewalls
Evenworse,mayconfuseserviceapplicationstocompromisesecurity
15Masqueradingandfirewalling
Theinternalcomputersareimplicitlyfirewalled
Themaincomputergetsalltheunrelatedpackets
Maincomputermustbeprotected
MaincomputerprotectedwithINPUTandOUTPUTchains
OthercomputersprotectedwithFORWARDchains
NotethatFORWARDchainsalsoapplytotheintranetconnection
16DNSfakingwithDNAT
TheothercomputershaveconstantDNSaddresses
TheaddressistranslatedwithDNAT
iptables-tnat-APREROUTING-d10.2.0.1\
-jDNAT--to-destination192.115.106.31
iptables-tnat-APREROUTING-d10.2.0.2\
-jDNAT--to-destination192.115.106.35
17AutomaticDNSDNATsetup
InanADSLconnection,theDNSaddressesaregivenonconnection
Anip-up.local scriptwritestheseaddressesintheresolv.conf file
DNScount=1
fornameserverin\
`perl-nle"/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i&&\
(\\$1=~/^127/||print\\$1)"/etc/resolv.conf`;
doiptables-tnat-APREROUTING-d10.2.0.$DNScount\
-jDNAT--to-destination$nameserver
letDNScount=DNScount+1;
done;
Theperlstatementaboveextractsthetwoaddresses
18TheMTUontheWindowscomputer
ADSLpppconnectionhasMTUof1452
NormalEthernethasMTU1500
WindowscomputerdoesntknowitgoesthroughADSL
Fragmentation
FixedbyaddinganentryinWindowsregistry
19Othertricks
Serveronmasqueradedhost(DNAT)
Portremapping(redirection)
Loadbalancing(OnetomanyforwardDNAT)
Packetmangling
20Thefilter chains
INPUT,OUTPUTandFORWARD
TargetswithACCEPT,DROP,REJECTorQUEUE
Asetofselectiverulesmakesafirewall
21Example:Afirewall
Closeeverythingandflushchains
iptables-PINPUTDROP
iptables-POUTPUTDROP
iptables-PFORWARDDROP
iptables-F-tnat
iptables-F-tfilter
iptables-X
22Example:Afirewall(cont.)
Alloweverythingonloopbackinterface
iptables-AINPUT-ilo-jACCEPT
iptables-AOUTPUT-olo-jACCEPT
23Example:Afirewall(cont.)
KeepADSLmodemshort
iptables-AINPUT-ieth1-s10.0.0.138/32\
-d10.0.0.0/8-ptcp\
--sport1723-mstate\
--stateESTABLISHED,RELATED-jACCEPT
iptables-AINPUT-ieth1-s10.0.0.138/32\
-d10.0.0.0/8-pgre-jACCEPT
iptables-AINPUT-ieth1-jDROP
iptables-AOUTPUT-oeth1-s10.0.0.0/8\
-d10.0.0.138/32-ptcp--dport1723\
-jACCEPT
iptables-AOUTPUT-oeth1-s10.0.0.0/8\
-d10.0.0.138/32-pgre-jACCEPT
iptables-AOUTPUT-oeth1-jDROP
24Example:Afirewall(cont.)
Linuxcomputerwithnetworkrules:
iptables-AOUTPUT-oppp0-s$PPPIP-jACCEPT
iptables-AINPUT-s!10.128.0.0/16-ptcp\
--dport0:1023-jDROP
iptables-AINPUT-ippp0-d$PPPIP-mstate\
--stateESTABLISHED,RELATED-jACCEPT
25Example:Afirewall(cont.)
Everythingisallowedoninternalnetwork
iptables-AINPUT-s10.128.0.0/16\
-d10.128.0.0/16-jACCEPT
iptables-AOUTPUT-s10.128.0.0/16\
-d10.128.0.0/16-jACCEPT
26Example:Afirewall(cont.)
Forwarding....
iptables-AFORWARD-ippp0-oeth0-mstate\
--stateESTABLISHED,RELATED-jACCEPT
iptables-AFORWARD-ieth0-oppp0-jACCEPT
iptables-AFORWARD-jDROP
Notethatthereisnoforwardingininternalnetwork
27iptables scriptfinale
MakesurethatthemainchainsendwithDROP
Zerocounters
iptables-AINPUT-jDROP
iptables-AOUTPUT-jDROP
iptables-AFORWARD-jDROP
iptables-Z
28Summary
Itworksreallywell
Itsnotdifficulttosetupifyouknowwhatyouredoing
29References
LinuxIPMasqueradeHOWTO(aversionwritteninJan2003isavailable)
man iptables
LastmodifiedonThuMay1717:30:002012.Email:sendtome@billauer.co.il