Talks outline iptables versus ipchains The goal (or: my goal) The - - PowerPoint PPT Presentation

talk s outline
SMART_READER_LITE
LIVE PREVIEW

Talks outline iptables versus ipchains The goal (or: my goal) The - - PowerPoint PPT Presentation

Apr 21, 2023 462 likes •794 views

IP Masquerading using iptables Eli Billauer eli billauer@yahoo.com IP Masquerading using iptables p.1 Talks outline iptables versus ipchains The goal (or: my goal) The packets way through iptables Classic masquerading (SNAT)

slide-1
SLIDE 1

IP Masquerading using iptables

Eli Billauer

eli billauer@yahoo.com

IP Masquerading using iptables – p.1

slide-2
SLIDE 2

Talk’s outline

iptables versus ipchains The goal (or: my goal) The packet’s way through iptables “Classic” masquerading (SNAT) DNS faking (with DNAT) Other things Firewalling with iptables (If we have time) Questions I’ll hopefully answer Not covered: packet mangling (change TOS, TTL and flags)

IP Masquerading using iptables – p.2

slide-3
SLIDE 3

Differences between iptables and ipchains

Same author (Rusty Russell), and basically smells the same Most important: FORWARD taken apart from INPUT and OUTPUT Changes in syntax Masqurading is handled “separately”

IP Masquerading using iptables – p.3

slide-4
SLIDE 4

ipchains and iptables don’t live together

If the ipchains module is resident in the kernel, iptables won’t insmod And vice versa Typical error message is misleading: “No kernel support” Red Hat 7.3 boots up with ipchains as default

IP Masquerading using iptables – p.4

slide-5
SLIDE 5

What I wanted in the first place

Windows 2000 computer Linux computer ADSL modem eth0 eth1 10.128.200.1 10.128.200.2 10.0.0.1 10.0.0.138 ppp0 81.218.94.210 81.218.94.1

IP Masquerading using iptables – p.5

slide-6
SLIDE 6

Requirements

Windows computer should have a gateway DNS issue solved elegantly Both computers have access to network at the same time Network between computers is trustful Proper firewalling ADSL modem is considered hostile

IP Masquerading using iptables – p.6

slide-7
SLIDE 7

iptables: The IP packet’s flow

Network PREROUTING (nat) POSTROUTING (nat) network host routing FORWARD (filter) Host’s IP stack TCP UDP ICMP ... OUTPUT (filter, nat) ACCEPT ACCEPT INPUT (filter) ACCEPT

IP Masquerading using iptables – p.7

slide-8
SLIDE 8

iptables: How to swallow this

Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools are used Think routing tables Chains: Think subroutines Each chain is terminated with a target, or next line taken Subchains work exactly like subroutines Tables: Group of chains: filter and nat Each chain has a policy – the default target

IP Masquerading using iptables – p.8

slide-9
SLIDE 9

What is Masquerading?

All computers appear to have the same IP This is done with Network Adress Translation It’s easy to fake the “outgoing packet” “Incoming packets” must be translated too Port translation – a must

IP Masquerading using iptables – p.9

slide-10
SLIDE 10

iptables: The IP packet’s flow

Network PREROUTING (DNAT) POSTROUTING (SNAT) network host routing FORWARD (filter) Host’s IP stack TCP UDP ICMP ... ACCEPT ACCEPT INPUT (filter) ACCEPT OUTPUT (filter, DNAT)

IP Masquerading using iptables – p.10

slide-11
SLIDE 11

Source Network Address Translation (SNAT)

On ADSL: catch packets going out on ppp0 The source IP is changed Source port numbers may be changed Easiest rule: Do SNAT on all packets going out on ppp0 Will include OUTPUT packets by accident, but who cares? Remember: Every SNAT produces an implicit DNAT And vice versa

IP Masquerading using iptables – p.11

slide-12
SLIDE 12

“Incoming” packets

The problem: Where should the packet go? Simple TCP connection: iptables remembers the port numbers UDP: Tricky DNS: Return the answer to whoever asked ICMP: Ping answers go the right way (!) FTP , ICQ and friends: Requires special treatment (they work for me as a basic client) When the other side opens a connection, that has to be treated specially iptables has application-based modules

IP Masquerading using iptables – p.12

slide-13
SLIDE 13

Defining SNAT iptables commands

The strict way: iptables -t nat -A POSTROUTING -o ppp0 -j SNAT \

  • -to $PPPIP

The liberal way: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE The “liberal” form is better for temporary connections: MASQUERADE automatically chooses address MASQUERADE forgets old connections when interface goes down For dial-up, cable modems and ADSL: MASQUERADE wins

IP Masquerading using iptables – p.13

slide-14
SLIDE 14

POSTROUTE is just another chain

Selective rules can be used Different manipulations are possible Use -j ACCEPT to let the packet through untouched

IP Masquerading using iptables – p.14

slide-15
SLIDE 15

The wrong way to masquerade

iptables -t nat -A POSTROUTING -j MASQUERADE This makes masquerading the default policy for any outgoing packet ... including any forwarded packet. All forwarded packets will appear to come from the masquerading host. May confuse firewalls Even worse, may confuse service applications to compromise security

IP Masquerading using iptables – p.15

slide-16
SLIDE 16

Masquerading and firewalling

The internal computers are implicitly firewalled The main computer gets all the unrelated packets Main computer must be protected Main computer protected with INPUT and OUTPUT chains Other computers protected with FORWARD chains Note that FORWARD chains also apply to the intranet connection

IP Masquerading using iptables – p.16

slide-17
SLIDE 17

DNS faking with DNAT

The other computers have constant DNS addresses The address is translated with DNAT iptables -t nat -A PREROUTING -d 10.2.0.1 \

  • j DNAT --to-destination 192.115.106.31

iptables -t nat -A PREROUTING -d 10.2.0.2 \

  • j DNAT --to-destination 192.115.106.35

IP Masquerading using iptables – p.17

slide-18
SLIDE 18

Automatic DNS DNAT setup

In an ADSL connection, the DNS addresses are given on connection An ip-up.local script writes these addresses in the resolv.conf file DNScount=1 for nameserver in \ ‘perl -nle "/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i && \ (\\$1=˜/ˆ127/ || print \\$1)" /etc/resolv.conf‘; do iptables -t nat -A PREROUTING -d 10.2.0.$DNScount \

  • j DNAT --to-destination $nameserver

let DNScount=DNScount+1; done; The perl statement above extracts the two addresses

IP Masquerading using iptables – p.18

slide-19
SLIDE 19

The MTU on the Windows computer

ADSL ppp connection has MTU of 1452 Normal Ethernet has MTU 1500 Windows computer doesn’t know it goes through ADSL Fragmentation Fixed by adding an entry in Window’s registry

IP Masquerading using iptables – p.19

slide-20
SLIDE 20

Other tricks

Server on masqueraded host (DNAT) Port remapping (redirection) Load balancing (One-to-many forward DNAT) Packet mangling

IP Masquerading using iptables – p.20

slide-21
SLIDE 21

The filter chains

INPUT, OUTPUT and FORWARD Targets with ACCEPT, DROP , REJECT or QUEUE A set of selective rules makes a firewall

IP Masquerading using iptables – p.21

slide-22
SLIDE 22

Example: A firewall

Close everything and flush chains iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -F -t nat iptables -F -t filter iptables -X

IP Masquerading using iptables – p.22

slide-23
SLIDE 23

Example: A firewall (cont.)

Allow everything on loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

IP Masquerading using iptables – p.23

slide-24
SLIDE 24

Example: A firewall (cont.)

Keep ADSL modem short iptables -A INPUT -i eth1 -s 10.0.0.138/32 \

  • d 10.0.0.0/8 -p tcp \
  • -sport 1723 -m state \
  • -state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -s 10.0.0.138/32 \

  • d 10.0.0.0/8 -p gre -j ACCEPT

iptables -A INPUT -i eth1 -j DROP iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \

  • d 10.0.0.138/32 -p tcp --dport 1723 \
  • j ACCEPT

iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \

  • d 10.0.0.138/32 -p gre -j ACCEPT

iptables -A OUTPUT -o eth1 -j DROP

IP Masquerading using iptables – p.24

slide-25
SLIDE 25

Example: A firewall (cont.)

Linux computer with network rules: iptables -A OUTPUT -o ppp0 -s $PPPIP -j ACCEPT iptables -A INPUT -s ! 10.128.0.0/16 -p tcp \

  • -dport 0:1023 -j DROP

iptables -A INPUT -i ppp0 -d $PPPIP -m state \

  • -state ESTABLISHED,RELATED -j ACCEPT

IP Masquerading using iptables – p.25

slide-26
SLIDE 26

Example: A firewall (cont.)

Everything is allowed on internal network iptables -A INPUT -s 10.128.0.0/16 \

  • d 10.128.0.0/16 -j ACCEPT

iptables -A OUTPUT -s 10.128.0.0/16 \

  • d 10.128.0.0/16 -j ACCEPT

IP Masquerading using iptables – p.26

slide-27
SLIDE 27

Example: A firewall (cont.)

Forwarding.... iptables -A FORWARD -i ppp0 -o eth0 -m state \

  • -state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT iptables -A FORWARD -j DROP Note that there is no forwarding in internal network

IP Masquerading using iptables – p.27

slide-28
SLIDE 28

iptables script finale

Make sure that the main chains end with DROP Zero counters iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP iptables -A FORWARD -j DROP iptables -Z

IP Masquerading using iptables – p.28

slide-29
SLIDE 29

Summary

It works really well It’s not difficult to set up if you know what you’re doing

IP Masquerading using iptables – p.29

slide-30
SLIDE 30

References

Linux IP Masquerade HOWTO (a version written in Jan 2003 is available) man iptables

IP Masquerading using iptables – p.30

slide-31
SLIDE 31

The End

Questions? Slides were made with L

A

T EX, using the prosper document class

IP Masquerading using iptables – p.31