List Info

Thread: DNAT rule requires extra firewall pinhole
DNAT rule requires extra firewall pinhole
user name
 2007-05-25 17:17:27 
I've setup DNAT on gateway such that external clients
connecting to TCP port 
$SCADA_PORT on the gateway are actually connected to the
node $MCB_IP on a 
private network.  Here's my rule:

 $IPTABLES -t nat -A PREROUTING -p tcp -d $DAS_SCADA_IP
--dport $SCADA_PORT 
        -i $DAS_SCADA_IF -j DNAT --to $MCB_IP:$SCADA_PORT

The gateway knows how to forward packets between the
internal and external 
interfaces.  The above rule works fine.

I've added a firewall rule to block external requests to
forward through the 
gateway:

$IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j DROP

The trouble is, I just found out that the above firewall
rule is not 
compatible with my DNAT rule.  That is, DNAT rewrites the
destination IP [as 
it should] to the $MCB_IP, then forwards the packet, which
then encounters 
the new firewall rule, and is dropped.

So I preceeded the above firewall rule with another rule:
$IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF -s $SCADANET -d
$MCB_IP 
    --dport $SCADA_PORT -j ACCEPT

which enables the DNAT to work again.  However, a side
effect is that now 
external nodes on $SCADANET can forward port=$SCADA_PORT to
IP=$MCB_IP 
directly through the firewall.  Granted this is a small
pinhole, but I'd like 
to plug it if possible.  I would think that it should be
possible to prevent 
all external nodes from forwarding through the firewall, and
to prevent 
external hosts from directly "seeing" an internal
node on the private net.

Any suggestions?

	TIA,
	Jeff
Re: DNAT rule requires extra firewall pinhole
country flaguser name
Germany		 2007-05-26 08:44:04 
On May 25 2007 17:17, Jeff Weber wrote:
>
>I've added a firewall rule to block external requests to
forward through the 
>gateway:
>
>$IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j
DROP

Well that sounds a little broken, because the first packet
of a TCP
connection _is_ SYN.

So you might want

 -p tcp ! -d destaddr ! --dport destport --syn -j DROP
here...

Alternatively ...

 -p tcp --syn -m conntrack --ctstate DNAT -j ACCEPT
 -p tcp --syn -j DROP


	Jan
--
Re: DNAT rule requires extra firewall pinhole
country flaguser name
France		 2007-05-26 09:52:31 
Hello,

Jeff Weber a écrit :
> I've setup DNAT on gateway such that external clients
connecting to TCP port 
> $SCADA_PORT on the gateway are actually connected to
the node $MCB_IP on a 
> private network.  Here's my rule:
> 
>  $IPTABLES -t nat -A PREROUTING -p tcp -d $DAS_SCADA_IP
--dport $SCADA_PORT 
>         -i $DAS_SCADA_IF -j DNAT --to
$MCB_IP:$SCADA_PORT
> 
> I've added a firewall rule to block external requests
to forward through the 
> gateway:
> 
> $IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j
DROP
> 
> The trouble is, I just found out that the above
firewall rule is not 
> compatible with my DNAT rule.

Indeed. The TCP SYN packet arrives on $DAS_SCADA_IF, so it
matches the rule.

> That is, DNAT rewrites the destination IP [as 
> it should] to the $MCB_IP, then forwards the packet,
which then encounters 
> the new firewall rule, and is dropped.

Actually DNAT only rewrites the destination and does nothing
more. It is 
the routing decision which forwards the packet.

> So I preceeded the above firewall rule with another
rule:
> $IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF -s
$SCADANET -d $MCB_IP 
>     --dport $SCADA_PORT -j ACCEPT
> 
> which enables the DNAT to work again.  However, a side
effect is that now 
> external nodes on $SCADANET can forward
port=$SCADA_PORT to IP=$MCB_IP 
> directly through the firewall.

Yes, this is a known side effect. Like you I used to worry
about it but 
not any more now, considering that accesses via either the
internal and 
external addresses have exactly the same effects. Besides,
one has to 
know about the internal address in order to use it, so why
hide it ?

> Granted this is a small pinhole, but I'd like 
> to plug it if possible.  I would think that it should
be possible to prevent 
> all external nodes from forwarding through the
firewall, and to prevent 
> external hosts from directly "seeing" an
internal node on the private net.

I can think of the following options :

- Drop packets which match "-d $MCB_IP" in the
mangle/PREROUTING chain. 
The mangle table is not the preffered way for filtering (you
cannot use 
REJECT there) but it works. Do not use the nat table for
filtering.

- MARK packets which match "-p tcp -d $DAS_SCADA_IP
--dport $SCADA_PORT" 
in the mangle/PREROUTING, then DNAT the marked packet in the

nat/PREROUTING chain and ACCEPT them in the filter/FORWARD
table before 
the DROP rule. Or MARK the packets which do not match, don't
DNAT them 
and DROP/REJECT them.

- In the filter/FORWARD chain, ACCEPT only packets matching
"-m conntrack --ctstate DNAT --ctorigdst
$DAS_SCADA_IP", that is with 
the external original destination address.
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )