Doesn't the whole story here imply IP-IP tunneling from two "well"-defined interfaces? Even if my MASQing firewall had IP-to-IP capability, if I had received such a packet from an arbitrary host, it would have been dropped. Or maybe I didn't read this email correctly? Ramin On Sun, Jun 22, 2003 at 05:44:49AM +0300, Elver Loho wrote: > I was on #netfilter (irc.freenode.net) earlier and asked about a possible flaw in the NAT howto, but got no reply (people sleeping?) so I'm just going to paste what I said here and go to sleep. (nearing 6am currently) > > > <elver> I have a question about masquerading. The NAT howto gives an example like this: "iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE", but since it masks the packets that are outgoing on ppp0 (by the destination IP, interface IP and netmask) then could that rule also be exploited by outside hosts tunneling? > <elver> For example, we have host A on subnet where the gateway to the internet is B (running that same rule) and then there are external hosts on the internet C and D. A's packets to C and D are masq'ed by B, but can't C and D also use B as a IP-level proxy to communicate to eachother? > <elver> Over LAN the routing is done on the ethernet level usually, but over the internet this could possibly done by IP encapsulation (RFC 2003 and RFC 1853) > <elver> Coming back to the example, C tunneling through B to D would look something like [ IP layer: from C to B [ IP layer: from C to D [ TCP layer [ Data ] ] ] ] > <elver> RFC 2003 does however define that if the source IP is the same as any interface on itself, then it should drop it. So therefore, C can't fake the address part to be B. However, with masquerading, it would NAT the connection and thus to D it would appear as if the data was coming from B. > <elver> Since Netfilter does NAT in the POSTROUTING table, then it only cares about the outgoing interface, which would be ppp0 or whatever your internet link might be. > <elver> The problem would be delivering the packet to B so that B would think that it is outgoing on it's internet link. > <elver> Since routing is done at a higher layer (Ethernet layer above the IP layer for example) then IP encapsulation could possibly used to deliver it to host B. > <elver> The quick and dirty masquerading part of the NAT howto at netfilter.org (http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1) does not build any safeguards against this. > <elver> Sensible way would be denying all forwarding requests coming in over the internet link. > <elver> Potentially this could mean that there are hundreds of Linux gateways out there that could be used as anonymous proxies. > <elver> Funny. The Masquerading Simple Howto (http://www.linuxdocs.org/HOWTOs/Masquerading-Simple-HOWTO/summary.html) DOES address that specific security hole by adding "iptables -A FORWARD -i eth0 -o eth0 -j REJECT". > <elver> So I would say that anyone using just netfilter.org howto could be vulnerable. (http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1) > > > This inconsistency between howtos was pointed out by Peter Johansson (x-g@xxxxxxxxxxx) when he was looking for docs while setting up his Linux gateway. I did the additional research into the subject. > > > Elver Loho > kernelpenguin@xxxxxx > > ----------------------------------------- > Hot Mobiil - helinad, logod ja piltsõnumid! > http://portal.hot.ee >
