I was on #netfilter (irc.freenode.net) earlier and asked about a possible flaw in the NAT howto, but got no reply (people sleeping?) so I'm just going to paste what I said here and go to sleep. (nearing 6am currently) <elver> I have a question about masquerading. The NAT howto gives an example like this: "iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE", but since it masks the packets that are outgoing on ppp0 (by the destination IP, interface IP and netmask) then could that rule also be exploited by outside hosts tunneling? <elver> For example, we have host A on subnet where the gateway to the internet is B (running that same rule) and then there are external hosts on the internet C and D. A's packets to C and D are masq'ed by B, but can't C and D also use B as a IP-level proxy to communicate to eachother? <elver> Over LAN the routing is done on the ethernet level usually, but over the internet this could possibly done by IP encapsulation (RFC 2003 and RFC 1853) <elver> Coming back to the example, C tunneling through B to D would look something like [ IP layer: from C to B [ IP layer: from C to D [ TCP layer [ Data ] ] ] ] <elver> RFC 2003 does however define that if the source IP is the same as any interface on itself, then it should drop it. So therefore, C can't fake the address part to be B. However, with masquerading, it would NAT the connection and thus to D it would appear as if the data was coming from B. <elver> Since Netfilter does NAT in the POSTROUTING table, then it only cares about the outgoing interface, which would be ppp0 or whatever your internet link might be. <elver> The problem would be delivering the packet to B so that B would think that it is outgoing on it's internet link. <elver> Since routing is done at a higher layer (Ethernet layer above the IP layer for example) then IP encapsulation could possibly used to deliver it to host B. <elver> The quick and dirty masquerading part of the NAT howto at netfilter.org (http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1) does not build any safeguards against this. <elver> Sensible way would be denying all forwarding requests coming in over the internet link. <elver> Potentially this could mean that there are hundreds of Linux gateways out there that could be used as anonymous proxies. <elver> Funny. The Masquerading Simple Howto (http://www.linuxdocs.org/HOWTOs/Masquerading-Simple-HOWTO/summary.html) DOES address that specific security hole by adding "iptables -A FORWARD -i eth0 -o eth0 -j REJECT". <elver> So I would say that anyone using just netfilter.org howto could be vulnerable. (http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1) This inconsistency between howtos was pointed out by Peter Johansson (x-g@xxxxxxxxxxx) when he was looking for docs while setting up his Linux gateway. I did the additional research into the subject. Elver Loho kernelpenguin@xxxxxx ----------------------------------------- Hot Mobiil - helinad, logod ja piltsõnumid! http://portal.hot.ee
