HomeCVCV(hebrew)FPGAEditorFreesoftwareLecturesPerlilogEobjfrandomcdependhitec(LaTeX)easyspecpeakdetFIFOtricksCDCE906OpticalsimulatorHTMLhighlightingHobbiesTechblog

IPMasqueradingusingiptables

1Talksoutline

iptables versusipchainsThegoal(or:mygoal)ThepacketswaythroughiptablesClassicmasquerading(SNAT)DNSfaking(withDNAT)OtherthingsFirewallingwithiptables (Ifwehavetime)QuestionsIllhopefullyanswer

Notcovered:packetmangling(changeTOS,TTLandflags)

2Differencesbetweeniptables andipchains

Sameauthor(RustyRussell),andbasicallysmellsthesameMostimportant:FORWARDtakenapartfromINPUTandOUTPUTChangesinsyntaxMasquradingishandledseparately

3ipchains andiptables dontlivetogether

Iftheipchains moduleisresidentinthekernel,iptables wontinsmodAndviceversaTypicalerrormessageismisleading:NokernelsupportRedHat7.3bootsupwithipchains asdefault

4WhatIwantedinthefirstplace

5Requirements

WindowscomputershouldhaveagatewayDNSissuesolvedelegantlyBothcomputershaveaccesstonetworkatthesametimeNetworkbetweencomputersistrustfulProperfirewallingADSLmodemisconsideredhostile

6iptables:TheIPpacketsflow

7iptables:Howtoswallowthis

Packetfiltering(firewalls)andmanipulation(masquerading)areneighboursTherefore,thesametoolsareusedThinkroutingtablesChains:ThinksubroutinesEachchainisterminatedwithatarget,ornextlinetakenSubchainsworkexactlylikesubroutinesTables:Groupofchains:filter andnatEachchainhasapolicythedefaulttarget

8WhatisMasquerading?

AllcomputersappeartohavethesameIPThisisdonewithNetworkAdressTranslationItseasytofaketheoutgoingpacketIncomingpacketsmustbetranslatedtooPorttranslationamust

9iptables:TheIPpacketsflow

10SourceNetworkAddressTranslation(SNAT)

OnADSL:catchpacketsgoingoutonppp0ThesourceIPischangedSourceportnumbersmaybechangedEasiestrule:DoSNATonallpacketsgoingoutonppp0WillincludeOUTPUTpacketsbyaccident,butwhocares?Remember:EverySNATproducesanimplicitDNATAndviceversa

11Incomingpackets

Theproblem:Whereshouldthepacketgo?SimpleTCPconnection:iptables rememberstheportnumbersUDP:TrickyDNS:ReturntheanswertowhoeveraskedICMP:Pinganswersgotherightway(!)FTP,ICQandfriends:Requiresspecialtreatment(theyworkformeasabasicclient)Whentheothersideopensaconnection,thathastobetreatedspeciallyiptables hasapplicationbasedmodules

12DefiningSNATiptables commands

Thestrictway:

iptables-tnat-APOSTROUTING-oppp0-jSNAT\ --to$PPPIPTheliberalway:

iptables-tnat-APOSTROUTING-oppp0-jMASQUERADE

Theliberalformisbetterfortemporaryconnections:MASQUERADEautomaticallychoosesaddressMASQUERADEforgetsoldconnectionswheninterfacegoesdownFordialup,cablemodemsandADSL:MASQUERADEwins

13POSTROUTE isjustanotherchain

SelectiverulescanbeusedDifferentmanipulationsarepossibleUse-jACCEPTtoletthepacketthroughuntouched

14Thewrongwaytomasquerade

iptables-tnat-APOSTROUTING-jMASQUERADE

Thismakesmasqueradingthedefaultpolicyforanyoutgoingpacket...includinganyforwardedpacket.Allforwardedpacketswillappeartocomefromthemasqueradinghost.MayconfusefirewallsEvenworse,mayconfuseserviceapplicationstocompromisesecurity

15Masqueradingandfirewalling

TheinternalcomputersareimplicitlyfirewalledThemaincomputergetsalltheunrelatedpacketsMaincomputermustbeprotectedMaincomputerprotectedwithINPUTandOUTPUTchainsOthercomputersprotectedwithFORWARDchainsNotethatFORWARDchainsalsoapplytotheintranetconnection

16DNSfakingwithDNAT

TheothercomputershaveconstantDNSaddressesTheaddressistranslatedwithDNAT

iptables-tnat-APREROUTING-d10.2.0.1\ -jDNAT--to-destination192.115.106.31 iptables-tnat-APREROUTING-d10.2.0.2\ -jDNAT--to-destination192.115.106.35

17AutomaticDNSDNATsetup

InanADSLconnection,theDNSaddressesaregivenonconnectionAnip-up.local scriptwritestheseaddressesintheresolv.conf file

DNScount=1 fornameserverin\ `perl-nle"/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i&&\ (\\$1=~/^127/||print\\$1)"/etc/resolv.conf`; doiptables-tnat-APREROUTING-d10.2.0.$DNScount\ -jDNAT--to-destination$nameserver

letDNScount=DNScount+1; done;

Theperlstatementaboveextractsthetwoaddresses

18TheMTUontheWindowscomputer

ADSLpppconnectionhasMTUof1452NormalEthernethasMTU1500WindowscomputerdoesntknowitgoesthroughADSLFragmentationFixedbyaddinganentryinWindowsregistry

19Othertricks

Serveronmasqueradedhost(DNAT)Portremapping(redirection)Loadbalancing(OnetomanyforwardDNAT)Packetmangling

20Thefilter chains

INPUT,OUTPUTandFORWARDTargetswithACCEPT,DROP,REJECTorQUEUEAsetofselectiverulesmakesafirewall

21Example:Afirewall

Closeeverythingandflushchains

iptables-PINPUTDROP iptables-POUTPUTDROP iptables-PFORWARDDROP iptables-F-tnat iptables-F-tfilter iptables-X

22Example:Afirewall(cont.)

Alloweverythingonloopbackinterface

iptables-AINPUT-ilo-jACCEPT iptables-AOUTPUT-olo-jACCEPT

23Example:Afirewall(cont.)

KeepADSLmodemshort

iptables-AINPUT-ieth1-s10.0.0.138/32\ -d10.0.0.0/8-ptcp\ --sport1723-mstate\ --stateESTABLISHED,RELATED-jACCEPT iptables-AINPUT-ieth1-s10.0.0.138/32\ -d10.0.0.0/8-pgre-jACCEPT iptables-AINPUT-ieth1-jDROP iptables-AOUTPUT-oeth1-s10.0.0.0/8\ -d10.0.0.138/32-ptcp--dport1723\

-jACCEPT iptables-AOUTPUT-oeth1-s10.0.0.0/8\ -d10.0.0.138/32-pgre-jACCEPT iptables-AOUTPUT-oeth1-jDROP

24Example:Afirewall(cont.)

Linuxcomputerwithnetworkrules:

iptables-AOUTPUT-oppp0-s$PPPIP-jACCEPT iptables-AINPUT-s!10.128.0.0/16-ptcp\ --dport0:1023-jDROP iptables-AINPUT-ippp0-d$PPPIP-mstate\ --stateESTABLISHED,RELATED-jACCEPT

25Example:Afirewall(cont.)

Everythingisallowedoninternalnetwork

iptables-AINPUT-s10.128.0.0/16\ -d10.128.0.0/16-jACCEPT iptables-AOUTPUT-s10.128.0.0/16\ -d10.128.0.0/16-jACCEPT

26Example:Afirewall(cont.)

Forwarding....

iptables-AFORWARD-ippp0-oeth0-mstate\ --stateESTABLISHED,RELATED-jACCEPT iptables-AFORWARD-ieth0-oppp0-jACCEPT iptables-AFORWARD-jDROP

Notethatthereisnoforwardingininternalnetwork

27iptables scriptfinale

MakesurethatthemainchainsendwithDROPZerocounters

iptables-AINPUT-jDROP iptables-AOUTPUT-jDROP iptables-AFORWARD-jDROP iptables-Z

28Summary

ItworksreallywellItsnotdifficulttosetupifyouknowwhatyouredoing

29References

LinuxIPMasqueradeHOWTO(aversionwritteninJan2003isavailable)man iptables

LastmodifiedonThuMay1717:30:002012.Email:sendtome@billauer.co.il