![Page 1: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/1.jpg)
IP Masquerading using iptables
Eli Billauer
IP Masquerading using iptables – p.1
![Page 2: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/2.jpg)
Talk’s outline
iptables versus ipchains
The goal (or: my goal)
The packet’s way through iptables
“Classic” masquerading (SNAT)
DNS faking (with DNAT)
Other things
Firewalling with iptables (If we have time)
Questions I’ll hopefully answer
Not covered: packet mangling (change TOS, TTL and flags)
IP Masquerading using iptables – p.2
![Page 3: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/3.jpg)
Differences between iptables and ipchains
Same author (Rusty Russell), and basically smells the same
Most important: FORWARD taken apart from INPUT andOUTPUT
Changes in syntax
Masqurading is handled “separately”
IP Masquerading using iptables – p.3
![Page 4: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/4.jpg)
ipchains and iptables don’t live together
If the ipchains module is resident in the kernel, iptableswon’t insmod
And vice versa
Typical error message is misleading: “No kernel support”
Red Hat 7.3 boots up with ipchains as default
IP Masquerading using iptables – p.4
![Page 5: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/5.jpg)
What I wanted in the first place
Windows2000
computer
Linuxcomputer
ADSLmodem
eth0
eth1
10.128.200.1
10.128.200.2
10.0.0.1
10.0.0.138
ppp0
81.218.94.210
81.218.94.1
IP Masquerading using iptables – p.5
![Page 6: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/6.jpg)
Requirements
Windows computer should have a gateway
DNS issue solved elegantly
Both computers have access to network at the same time
Network between computers is trustful
Proper firewalling
ADSL modem is considered hostile
IP Masquerading using iptables – p.6
![Page 7: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/7.jpg)
iptables: The IP packet’s flow
Network
PREROUTING(nat)
POSTROUTING(nat)
network
host
routing FORWARD(filter)
Host’s IPstack
TCP UDP ICMP ...
OUTPUT(filter, nat)
ACCEPTACCEPT
INPUT(filter) ACCEPT
IP Masquerading using iptables – p.7
![Page 8: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/8.jpg)
iptables: How to swallow this
Packet filtering (firewalls) and manipulation (masquerading) areneighbours
Therefore, the same tools are used
Think routing tables
Chains: Think subroutines
Each chain is terminated with a target, or next line taken
Subchains work exactly like subroutines
Tables: Group of chains: filter and nat
Each chain has a policy – the default target
IP Masquerading using iptables – p.8
![Page 9: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/9.jpg)
What is Masquerading?
All computers appear to have the same IP
This is done with Network Adress Translation
It’s easy to fake the “outgoing packet”
“Incoming packets” must be translated too
Port translation – a must
IP Masquerading using iptables – p.9
![Page 10: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/10.jpg)
iptables: The IP packet’s flow
Network
PREROUTING(DNAT)
POSTROUTING(SNAT)
network
host
routing FORWARD(filter)
Host’s IPstack
TCP UDP ICMP ...
ACCEPTACCEPT
INPUT(filter) ACCEPT
OUTPUT(filter, DNAT)
IP Masquerading using iptables – p.10
![Page 11: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/11.jpg)
Source Network Address Translation (SNAT)
On ADSL: catch packets going out on ppp0
The source IP is changed
Source port numbers may be changed
Easiest rule: Do SNAT on all packets going out on ppp0
Will include OUTPUT packets by accident, but who cares?
Remember: Every SNAT produces an implicit DNAT
And vice versa
IP Masquerading using iptables – p.11
![Page 12: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/12.jpg)
“Incoming” packets
The problem: Where should the packet go?
Simple TCP connection: iptables remembers the portnumbers
UDP: Tricky
DNS: Return the answer to whoever asked
ICMP: Ping answers go the right way (!)
FTP, ICQ and friends: Requires special treatment (they work forme as a basic client)
When the other side opens a connection, that has to be treatedspecially
iptables has application-based modules
IP Masquerading using iptables – p.12
![Page 13: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/13.jpg)
Defining SNAT iptables commands
The strict way:iptables -t nat -A POSTROUTING -o ppp0 -j SNAT \
--to $PPPIP
The liberal way:iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
The “liberal” form is better for temporary connections:
MASQUERADE automatically chooses address
MASQUERADE forgets old connections when interface goesdown
For dial-up, cable modems and ADSL: MASQUERADE wins
IP Masquerading using iptables – p.13
![Page 14: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/14.jpg)
POSTROUTE is just another chain
Selective rules can be used
Different manipulations are possible
Use -j ACCEPT to let the packet through untouched
IP Masquerading using iptables – p.14
![Page 15: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/15.jpg)
The wrong way to masquerade
iptables -t nat -A POSTROUTING -j MASQUERADE
This makes masquerading the default policy for any outgoingpacket
... including any forwarded packet.
All forwarded packets will appear to come from themasquerading host.
May confuse firewalls
Even worse, may confuse service applications to compromisesecurity
IP Masquerading using iptables – p.15
![Page 16: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/16.jpg)
Masquerading and firewalling
The internal computers are implicitly firewalled
The main computer gets all the unrelated packets
Main computer must be protected
Main computer protected with INPUT and OUTPUT chains
Other computers protected with FORWARD chains
Note that FORWARD chains also apply to the intranetconnection
IP Masquerading using iptables – p.16
![Page 17: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/17.jpg)
DNS faking with DNAT
The other computers have constant DNS addresses
The address is translated with DNAT
iptables -t nat -A PREROUTING -d 10.2.0.1 \-j DNAT --to-destination 192.115.106.31
iptables -t nat -A PREROUTING -d 10.2.0.2 \-j DNAT --to-destination 192.115.106.35
IP Masquerading using iptables – p.17
![Page 18: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/18.jpg)
Automatic DNS DNAT setup
In an ADSL connection, the DNS addresses are given onconnection
An ip-up.local script writes these addresses in theresolv.conf file
DNScount=1for nameserver in \‘perl -nle "/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i && \
(\\$1=˜/ˆ127/ || print \\$1)" /etc/resolv.conf‘;do iptables -t nat -A PREROUTING -d 10.2.0.$DNScount \
-j DNAT --to-destination $nameserverlet DNScount=DNScount+1;
done;
The perl statement above extracts the two addresses
IP Masquerading using iptables – p.18
![Page 19: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/19.jpg)
The MTU on the Windows computer
ADSL ppp connection has MTU of 1452
Normal Ethernet has MTU 1500
Windows computer doesn’t know it goes through ADSL
Fragmentation
Fixed by adding an entry in Window’s registry
IP Masquerading using iptables – p.19
![Page 20: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/20.jpg)
Other tricks
Server on masqueraded host (DNAT)
Port remapping (redirection)
Load balancing (One-to-many forward DNAT)
Packet mangling
IP Masquerading using iptables – p.20
![Page 21: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/21.jpg)
The filter chains
INPUT, OUTPUT and FORWARD
Targets with ACCEPT, DROP, REJECT or QUEUE
A set of selective rules makes a firewall
IP Masquerading using iptables – p.21
![Page 22: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/22.jpg)
Example: A firewall
Close everything and flush chainsiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROPiptables -F -t natiptables -F -t filteriptables -X
IP Masquerading using iptables – p.22
![Page 23: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/23.jpg)
Example: A firewall (cont.)
Allow everything on loopback interfaceiptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT
IP Masquerading using iptables – p.23
![Page 24: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/24.jpg)
Example: A firewall (cont.)
Keep ADSL modem shortiptables -A INPUT -i eth1 -s 10.0.0.138/32 \
-d 10.0.0.0/8 -p tcp \--sport 1723 -m state \--state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -s 10.0.0.138/32 \-d 10.0.0.0/8 -p gre -j ACCEPT
iptables -A INPUT -i eth1 -j DROPiptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \
-d 10.0.0.138/32 -p tcp --dport 1723 \-j ACCEPT
iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \-d 10.0.0.138/32 -p gre -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP
IP Masquerading using iptables – p.24
![Page 25: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/25.jpg)
Example: A firewall (cont.)
Linux computer with network rules:iptables -A OUTPUT -o ppp0 -s $PPPIP -j ACCEPTiptables -A INPUT -s ! 10.128.0.0/16 -p tcp \
--dport 0:1023 -j DROPiptables -A INPUT -i ppp0 -d $PPPIP -m state \
--state ESTABLISHED,RELATED -j ACCEPT
IP Masquerading using iptables – p.25
![Page 26: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/26.jpg)
Example: A firewall (cont.)
Everything is allowed on internal networkiptables -A INPUT -s 10.128.0.0/16 \
-d 10.128.0.0/16 -j ACCEPTiptables -A OUTPUT -s 10.128.0.0/16 \
-d 10.128.0.0/16 -j ACCEPT
IP Masquerading using iptables – p.26
![Page 27: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/27.jpg)
Example: A firewall (cont.)
Forwarding....iptables -A FORWARD -i ppp0 -o eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i eth0 -o ppp0 -j ACCEPTiptables -A FORWARD -j DROP
Note that there is no forwarding in internal network
IP Masquerading using iptables – p.27
![Page 28: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/28.jpg)
iptables script finale
Make sure that the main chains end with DROP
Zero counters
iptables -A INPUT -j DROPiptables -A OUTPUT -j DROPiptables -A FORWARD -j DROPiptables -Z
IP Masquerading using iptables – p.28
![Page 29: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/29.jpg)
Summary
It works really well
It’s not difficult to set up if you know what you’re doing
IP Masquerading using iptables – p.29
![Page 30: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/30.jpg)
References
Linux IP Masquerade HOWTO (a version written in Jan 2003 isavailable)
man iptables
IP Masquerading using iptables – p.30
![Page 31: IP Masquerading using iptables - Billauer · iptables: How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools](https://reader031.vdocuments.site/reader031/viewer/2022022521/5b243a847f8b9a9a428b457f/html5/thumbnails/31.jpg)
The End
Questions?
Slides were made with LATEX, using the prosper document class
IP Masquerading using iptables – p.31