HomeCVCV(hebrew)FPGAEditorFreesoftwareLecturesPerlilogEobjfrandomcdependhitec(LaTeX)easyspecpeakdetFIFOtricksCDCE906OpticalsimulatorHTMLhighlightingHobbiesTechblog
IPMasqueradingusingiptables
1Talksoutline
iptables versusipchainsThegoal(or:mygoal)ThepacketswaythroughiptablesClassicmasquerading(SNAT)DNSfaking(withDNAT)OtherthingsFirewallingwithiptables (Ifwehavetime)QuestionsIllhopefullyanswer
Notcovered:packetmangling(changeTOS,TTLandflags)
2Differencesbetweeniptables andipchains
Sameauthor(RustyRussell),andbasicallysmellsthesameMostimportant:FORWARDtakenapartfromINPUTandOUTPUTChangesinsyntaxMasquradingishandledseparately
3ipchains andiptables dontlivetogether
Iftheipchains moduleisresidentinthekernel,iptables wontinsmodAndviceversaTypicalerrormessageismisleading:NokernelsupportRedHat7.3bootsupwithipchains asdefault
4WhatIwantedinthefirstplace
5Requirements
WindowscomputershouldhaveagatewayDNSissuesolvedelegantlyBothcomputershaveaccesstonetworkatthesametimeNetworkbetweencomputersistrustfulProperfirewallingADSLmodemisconsideredhostile
6iptables:TheIPpacketsflow
7iptables:Howtoswallowthis
Packetfiltering(firewalls)andmanipulation(masquerading)areneighboursTherefore,thesametoolsareusedThinkroutingtablesChains:ThinksubroutinesEachchainisterminatedwithatarget,ornextlinetakenSubchainsworkexactlylikesubroutinesTables:Groupofchains:filter andnatEachchainhasapolicythedefaulttarget
8WhatisMasquerading?
AllcomputersappeartohavethesameIPThisisdonewithNetworkAdressTranslationItseasytofaketheoutgoingpacketIncomingpacketsmustbetranslatedtooPorttranslationamust
9iptables:TheIPpacketsflow
10SourceNetworkAddressTranslation(SNAT)
OnADSL:catchpacketsgoingoutonppp0ThesourceIPischangedSourceportnumbersmaybechangedEasiestrule:DoSNATonallpacketsgoingoutonppp0WillincludeOUTPUTpacketsbyaccident,butwhocares?Remember:EverySNATproducesanimplicitDNATAndviceversa
11Incomingpackets
Theproblem:Whereshouldthepacketgo?SimpleTCPconnection:iptables rememberstheportnumbersUDP:TrickyDNS:ReturntheanswertowhoeveraskedICMP:Pinganswersgotherightway(!)FTP,ICQandfriends:Requiresspecialtreatment(theyworkformeasabasicclient)Whentheothersideopensaconnection,thathastobetreatedspeciallyiptables hasapplicationbasedmodules
12DefiningSNATiptables commands
Thestrictway:
iptables-tnat-APOSTROUTING-oppp0-jSNAT\ --to$PPPIPTheliberalway:
iptables-tnat-APOSTROUTING-oppp0-jMASQUERADE
Theliberalformisbetterfortemporaryconnections:MASQUERADEautomaticallychoosesaddressMASQUERADEforgetsoldconnectionswheninterfacegoesdownFordialup,cablemodemsandADSL:MASQUERADEwins
13POSTROUTE isjustanotherchain
SelectiverulescanbeusedDifferentmanipulationsarepossibleUse-jACCEPTtoletthepacketthroughuntouched
14Thewrongwaytomasquerade
iptables-tnat-APOSTROUTING-jMASQUERADE
Thismakesmasqueradingthedefaultpolicyforanyoutgoingpacket...includinganyforwardedpacket.Allforwardedpacketswillappeartocomefromthemasqueradinghost.MayconfusefirewallsEvenworse,mayconfuseserviceapplicationstocompromisesecurity
15Masqueradingandfirewalling
TheinternalcomputersareimplicitlyfirewalledThemaincomputergetsalltheunrelatedpacketsMaincomputermustbeprotectedMaincomputerprotectedwithINPUTandOUTPUTchainsOthercomputersprotectedwithFORWARDchainsNotethatFORWARDchainsalsoapplytotheintranetconnection
16DNSfakingwithDNAT
TheothercomputershaveconstantDNSaddressesTheaddressistranslatedwithDNAT
iptables-tnat-APREROUTING-d10.2.0.1\ -jDNAT--to-destination192.115.106.31 iptables-tnat-APREROUTING-d10.2.0.2\ -jDNAT--to-destination192.115.106.35
17AutomaticDNSDNATsetup
InanADSLconnection,theDNSaddressesaregivenonconnectionAnip-up.local scriptwritestheseaddressesintheresolv.conf file
DNScount=1 fornameserverin\ `perl-nle"/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i&&\ (\\$1=~/^127/||print\\$1)"/etc/resolv.conf`; doiptables-tnat-APREROUTING-d10.2.0.$DNScount\ -jDNAT--to-destination$nameserver
letDNScount=DNScount+1; done;
Theperlstatementaboveextractsthetwoaddresses
18TheMTUontheWindowscomputer
ADSLpppconnectionhasMTUof1452NormalEthernethasMTU1500WindowscomputerdoesntknowitgoesthroughADSLFragmentationFixedbyaddinganentryinWindowsregistry
19Othertricks
Serveronmasqueradedhost(DNAT)Portremapping(redirection)Loadbalancing(OnetomanyforwardDNAT)Packetmangling
20Thefilter chains
INPUT,OUTPUTandFORWARDTargetswithACCEPT,DROP,REJECTorQUEUEAsetofselectiverulesmakesafirewall
21Example:Afirewall
Closeeverythingandflushchains
iptables-PINPUTDROP iptables-POUTPUTDROP iptables-PFORWARDDROP iptables-F-tnat iptables-F-tfilter iptables-X
22Example:Afirewall(cont.)
Alloweverythingonloopbackinterface
iptables-AINPUT-ilo-jACCEPT iptables-AOUTPUT-olo-jACCEPT
23Example:Afirewall(cont.)
KeepADSLmodemshort
iptables-AINPUT-ieth1-s10.0.0.138/32\ -d10.0.0.0/8-ptcp\ --sport1723-mstate\ --stateESTABLISHED,RELATED-jACCEPT iptables-AINPUT-ieth1-s10.0.0.138/32\ -d10.0.0.0/8-pgre-jACCEPT iptables-AINPUT-ieth1-jDROP iptables-AOUTPUT-oeth1-s10.0.0.0/8\ -d10.0.0.138/32-ptcp--dport1723\
-jACCEPT iptables-AOUTPUT-oeth1-s10.0.0.0/8\ -d10.0.0.138/32-pgre-jACCEPT iptables-AOUTPUT-oeth1-jDROP
24Example:Afirewall(cont.)
Linuxcomputerwithnetworkrules:
iptables-AOUTPUT-oppp0-s$PPPIP-jACCEPT iptables-AINPUT-s!10.128.0.0/16-ptcp\ --dport0:1023-jDROP iptables-AINPUT-ippp0-d$PPPIP-mstate\ --stateESTABLISHED,RELATED-jACCEPT
25Example:Afirewall(cont.)
Everythingisallowedoninternalnetwork
iptables-AINPUT-s10.128.0.0/16\ -d10.128.0.0/16-jACCEPT iptables-AOUTPUT-s10.128.0.0/16\ -d10.128.0.0/16-jACCEPT
26Example:Afirewall(cont.)
Forwarding....
iptables-AFORWARD-ippp0-oeth0-mstate\ --stateESTABLISHED,RELATED-jACCEPT iptables-AFORWARD-ieth0-oppp0-jACCEPT iptables-AFORWARD-jDROP
Notethatthereisnoforwardingininternalnetwork
27iptables scriptfinale
MakesurethatthemainchainsendwithDROPZerocounters
iptables-AINPUT-jDROP iptables-AOUTPUT-jDROP iptables-AFORWARD-jDROP iptables-Z
28Summary
ItworksreallywellItsnotdifficulttosetupifyouknowwhatyouredoing
29References
LinuxIPMasqueradeHOWTO(aversionwritteninJan2003isavailable)man iptables
LastmodifiedonThuMay1717:30:002012.Email:[email protected]