Fw: INVALID connections and SNAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Which are your rules in the nat table (POSTROUTING)?

Briefly, what I have:

*nat
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.0.0/16 \
	-j SNAT --to-source 22.33.44.55
*filter
-A FORWARD -s 192.168.0.0/24 \
	-m comment --comment "admin-subnet" -j ACCEPT
-A FORWARD -d 192.168.1.0/24 \
	-m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 \
	-j REJECT --reject-with icmp-host-unreachable
-A FORWARD -s 192.168.1.0/24 \
	-j ACCEPT

how to test:

tcpdump -i eth0 -ne 'net 192.168.1.0/24'

here eth0 (22.33.44.55): internet interface

as example, what test outputs _sometimes_ (rarely):

IP 192.168.1.4.50226 > 74.125.77.19.443: F 253979169:253979169(0) ack
	3081852170 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0)
	ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1
	win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win
	16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: R 1:1(0) ack 1 win 0 

Also:

1. flushing connections with 'conntrack -F' considerably increases the
	rate of these unNATed packets
2. after
	iptables -A FORWARD -s 192.168.0.0/16 \! -d 192.168.0.0/16 \
	-m state --state INVALID -j DROP
   all works properly (no strange packets)

> 
> Jorge Dávila.
> 
> Jorge Isaac Davila Lopez
> Nicaragua Open Source
> +505-8430-5462
> davila@xxxxxxxxxxxxxxxxxxxxxxx
> 
> En Abr 12, 2010, Igor Bogomazov <bi@xxxxx> escribió:
> Hello,
> 
> Just noticed few packets which pass SNAT in POSTROUTING without
> altering their SRC. The problem has been obscured by the fact, that
> all works in general, no one complain.
> 
> After I add REJECT rule for "-m state --state INVALID" connections,
> unmodified (not NATed) packets have disappeared. All right now.
> 
> Why INVALID connections pass thru NAT instead of dropping them? It
> seems like a security risk, when hacker can listen not-NATed packets
> behind the router and learn a network topology.
> 

--
С уважением,

Igor Bogomazov

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux