MASQ leak?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I was debugging what I thought was a vlan leak and a broken configuration.. or
at worst broken firmware, since I had bought new switches and wasn't completely
comfortable with them yet.

Anyway, it turns out that netfilter masq can leak internal information.

I thought most things would be caught by this:
table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100
                oifname $ext_interface masquerade

But my machine was still sending unmasquraded data.

It was fixed by doing:
table inet filter {
       chain forward {
               type filter hook forward priority 0
                ct state invalid counter drop # <- this one

It just seems odd to me that traffic can go through without being NAT:ed

I only discovered this since one device managed to NAK alot of DHCP
packets and eventually
i was disconnected from my ISP (so switches are still suspect, and
will be inspected further when they are reconnected again)

And since i thought it was quite bad to just drop internal traffic
that tries to get somewhere i was looking
 to see if i could do a ttl exceeded or so response to make it retry -
best i could do was:
ct state invalid counter reject with icmp type port-unreachable

Which could be further enhanced by iifname <int interface> as a prefix

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux