Hello,
Jeff Weber a écrit :
I've setup DNAT on gateway such that external clients connecting to TCP port
$SCADA_PORT on the gateway are actually connected to the node $MCB_IP on a
private network. Here's my rule:
$IPTABLES -t nat -A PREROUTING -p tcp -d $DAS_SCADA_IP --dport $SCADA_PORT \
-i $DAS_SCADA_IF -j DNAT --to $MCB_IP:$SCADA_PORT
I've added a firewall rule to block external requests to forward through the
gateway:
$IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j DROP
The trouble is, I just found out that the above firewall rule is not
compatible with my DNAT rule.
Indeed. The TCP SYN packet arrives on $DAS_SCADA_IF, so it matches the rule.
That is, DNAT rewrites the destination IP [as
it should] to the $MCB_IP, then forwards the packet, which then encounters
the new firewall rule, and is dropped.
Actually DNAT only rewrites the destination and does nothing more. It is
the routing decision which forwards the packet.
So I preceeded the above firewall rule with another rule:
$IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF -s $SCADANET -d $MCB_IP \
--dport $SCADA_PORT -j ACCEPT
which enables the DNAT to work again. However, a side effect is that now
external nodes on $SCADANET can forward port=$SCADA_PORT to IP=$MCB_IP
directly through the firewall.
Yes, this is a known side effect. Like you I used to worry about it but
not any more now, considering that accesses via either the internal and
external addresses have exactly the same effects. Besides, one has to
know about the internal address in order to use it, so why hide it ?
Granted this is a small pinhole, but I'd like
to plug it if possible. I would think that it should be possible to prevent
all external nodes from forwarding through the firewall, and to prevent
external hosts from directly "seeing" an internal node on the private net.
I can think of the following options :
- Drop packets which match "-d $MCB_IP" in the mangle/PREROUTING chain.
The mangle table is not the preffered way for filtering (you cannot use
REJECT there) but it works. Do not use the nat table for filtering.
- MARK packets which match "-p tcp -d $DAS_SCADA_IP --dport $SCADA_PORT"
in the mangle/PREROUTING, then DNAT the marked packet in the
nat/PREROUTING chain and ACCEPT them in the filter/FORWARD table before
the DROP rule. Or MARK the packets which do not match, don't DNAT them
and DROP/REJECT them.
- In the filter/FORWARD chain, ACCEPT only packets matching
"-m conntrack --ctstate DNAT --ctorigdst $DAS_SCADA_IP", that is with
the external original destination address.