IP Masquerading using iptables

1 Talk’s outline

  • iptables versus ipchains
  • The goal (or: my goal)
  • The packet’s way through iptables
  • “Classic” masquerading (SNAT)
  • DNS faking (with DNAT)
  • Other things
  • Firewalling with iptables (If we have time)
  • Questions I’ll hopefully answer

Not covered: packet mangling (change TOS, TTL and flags)

2 Differences between iptables and ipchains

  • Same author (Rusty Russell), and basically smells the same
  • Most important: FORWARD taken apart from INPUT and OUTPUT
  • Changes in syntax
  • Masqurading is handled “separately”

3 ipchains and iptables don’t live together

  • If the ipchains module is resident in the kernel, iptables won’t insmod
  • And vice versa
  • Typical error message is misleading: “No kernel support”
  • Red Hat 7.3 boots up with ipchains as default

4 What I wanted in the first place

PIC

5 Requirements

  • Windows computer should have a gateway
  • DNS issue solved elegantly
  • Both computers have access to network at the same time
  • Network between computers is trustful
  • Proper firewalling
  • ADSL modem is considered hostile

6 iptables: The IP packet’s flow

PIC

7 iptables: How to swallow this

  • Packet filtering (firewalls) and manipulation (masquerading) are neighbours
  • Therefore, the same tools are used
  • Think routing tables
  • Chains: Think subroutines
  • Each chain is terminated with a target, or next line taken
  • Subchains work exactly like subroutines
  • Tables: Group of chains: filter and nat
  • Each chain has a policy - the default target

8 What is Masquerading?

  • All computers appear to have the same IP
  • This is done with Network Adress Translation
  • It’s easy to fake the “outgoing packet”
  • “Incoming packets” must be translated too
  • Port translation - a must

9 iptables: The IP packet’s flow

PIC

10 Source Network Address Translation (SNAT)

  • On ADSL: catch packets going out on ppp0
  • The source IP is changed
  • Source port numbers may be changed
  • Easiest rule: Do SNAT on all packets going out on ppp0
  • Will include OUTPUT packets by accident, but who cares?
  • Remember: Every SNAT produces an implicit DNAT
  • And vice versa

11 “Incoming” packets

  • The problem: Where should the packet go?
  • Simple TCP connection: iptables remembers the port numbers
  • UDP: Tricky
  • DNS: Return the answer to whoever asked
  • ICMP: Ping answers go the right way (!)
  • FTP, ICQ and friends: Requires special treatment (they work for me as a basic client)
  • When the other side opens a connection, that has to be treated specially
  • iptables has application-based modules

12 Defining SNAT iptables commands

The strict way:

iptables -t nat -A POSTROUTING -o ppp0 -j SNAT \  
                               --to $PPPIP
The liberal way:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
  • The “liberal” form is better for temporary connections:
  • MASQUERADE automatically chooses address
  • MASQUERADE forgets old connections when interface goes down
  • For dial-up, cable modems and ADSL: MASQUERADE wins

13 POSTROUTE is just another chain

  • Selective rules can be used
  • Different manipulations are possible
  • Use -j ACCEPT to let the packet through untouched

14 The wrong way to masquerade

iptables -t nat -A POSTROUTING -j MASQUERADE
  • This makes masquerading the default policy for any outgoing packet
  • ... including any forwarded packet.
  • All forwarded packets will appear to come from the masquerading host.
  • May confuse firewalls
  • Even worse, may confuse service applications to compromise security

15 Masquerading and firewalling

  • The internal computers are implicitly firewalled
  • The main computer gets all the unrelated packets
  • Main computer must be protected
  • Main computer protected with INPUT and OUTPUT chains
  • Other computers protected with FORWARD chains
  • Note that FORWARD chains also apply to the intranet connection

16 DNS faking with DNAT

  • The other computers have constant DNS addresses
  • The address is translated with DNAT

iptables -t nat -A PREROUTING -d 10.2.0.1 \  
     -j DNAT --to-destination 192.115.106.31  
iptables -t nat -A PREROUTING -d 10.2.0.2 \  
     -j DNAT --to-destination 192.115.106.35

17 Automatic DNS DNAT setup

  • In an ADSL connection, the DNS addresses are given on connection
  • An ip-up.local script writes these addresses in the resolv.conf file

DNScount=1  
for nameserver in \  
 `perl -nle "/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i && \  
     (\\$1=~/^127/ || print \\$1)" /etc/resolv.conf`;  
do iptables -t nat -A PREROUTING -d 10.2.0.$DNScount \  
            -j DNAT --to-destination $nameserver  
  let DNScount=DNScount+1;  
done;
  • The perl statement above extracts the two addresses

18 The MTU on the Windows computer

  • ADSL ppp connection has MTU of 1452
  • Normal Ethernet has MTU 1500
  • Windows computer doesn’t know it goes through ADSL
  • Fragmentation
  • Fixed by adding an entry in Window’s registry

19 Other tricks

  • Server on masqueraded host (DNAT)
  • Port remapping (redirection)
  • Load balancing (One-to-many forward DNAT)
  • Packet mangling

20 The filter chains

  • INPUT, OUTPUT and FORWARD
  • Targets with ACCEPT, DROP, REJECT or QUEUE
  • A set of selective rules makes a firewall

21 Example: A firewall

Close everything and flush chains

iptables -P INPUT DROP  
iptables -P OUTPUT DROP  
iptables -P FORWARD DROP  
iptables -F -t nat  
iptables -F -t filter  
iptables -X

22 Example: A firewall (cont.)

Allow everything on loopback interface

iptables -A INPUT -i lo -j ACCEPT  
iptables -A OUTPUT -o lo -j ACCEPT

23 Example: A firewall (cont.)

Keep ADSL modem short

iptables -A INPUT -i eth1 -s 10.0.0.138/32 \  
          -d 10.0.0.0/8 -p tcp \  
          --sport 1723 -m state \  
          --state ESTABLISHED,RELATED -j ACCEPT  
iptables -A INPUT -i eth1 -s 10.0.0.138/32 \  
           -d 10.0.0.0/8 -p gre -j ACCEPT  
iptables -A INPUT -i eth1 -j DROP  
iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \  
          -d 10.0.0.138/32 -p tcp --dport 1723 \  
          -j ACCEPT  
iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \  
          -d 10.0.0.138/32 -p gre -j ACCEPT  
iptables -A OUTPUT -o eth1 -j DROP

24 Example: A firewall (cont.)

Linux computer with network rules:

iptables -A OUTPUT -o ppp0 -s $PPPIP -j ACCEPT  
iptables -A INPUT -s ! 10.128.0.0/16 -p tcp \  
          --dport 0:1023 -j DROP  
iptables -A INPUT -i ppp0 -d $PPPIP -m state \  
          --state ESTABLISHED,RELATED -j ACCEPT

25 Example: A firewall (cont.)

Everything is allowed on internal network

iptables -A INPUT -s 10.128.0.0/16 \  
          -d 10.128.0.0/16 -j ACCEPT  
iptables -A OUTPUT -s 10.128.0.0/16 \  
          -d 10.128.0.0/16 -j ACCEPT

26 Example: A firewall (cont.)

Forwarding....

iptables -A FORWARD -i ppp0 -o eth0 -m state \  
          --state ESTABLISHED,RELATED -j ACCEPT  
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT  
iptables -A FORWARD -j DROP

Note that there is no forwarding in internal network

27 iptables script finale

  • Make sure that the main chains end with DROP
  • Zero counters

iptables -A INPUT -j DROP  
iptables -A OUTPUT -j DROP  
iptables -A FORWARD -j DROP  
iptables -Z

28 Summary

  • It works really well
  • It’s not difficult to set up if you know what you’re doing

29 References

  • Linux IP Masquerade HOWTO (a version written in Jan 2003 is available)
  • man iptables

Last modified on Thu May 17 17:30:00 2012. E-mail: