Purely NAT

Purely NAT

[Jet (jchan@trusecure.com)]

Hi all,

This is my first post to the list, so please bare with me.
I have a requirement here. Is there possible to create a purely NAT iptables
rules for certain IP addresses?

What I means here is I want to enable stateful filtering for most of the all
of the users except certain IP address/subnet. Stateful filtering is good
sometime, bu not all the time, when you really want to do portscaning
activities from a machine that sit behind the firewall.

Any idea.

.//Jet

Re: Purely NAT

[Antony Stone]

On Monday 28 October 2002 5:32 am, yenjet.chan@eglobal.com.my wrote:

> Hi all,
>
> This is my first post to the list, so please bare with me.
> I have a requirement here. Is there possible to create a purely NAT
> iptables rules for certain IP addresses?

No.   You can turn off stateful inspection by not loading or compiling the 
connection tracking support, but you cannot use it for some addresses but not 
others.

> What I means here is I want to enable stateful filtering for most of the
> all of the users except certain IP address/subnet. Stateful filtering is
> good sometime, bu not all the time, when you really want to do portscaning
> activities from a machine that sit behind the firewall.

How much memory is in the netfilter machine / what size is your conntrack 
table / how many connections are you generating with your portscans for this 
to be a problem ?

Maybe it would help if you compile conntrack as a module and then you can 
unload it when you want to empty the connection tracking table ?   (This will 
unload *all* the entries at the same time, though).

Antony.

-- 

The first ninety percent of an engineering project takes ninety percent
of the time, and the last ten percent takes the remaining ninety percent.

Re: Purely NAT

[Anthony Liu]

On Mon, 28 Oct 2002 14:44:43 +0000 Antony Stone <Antony@Soft-Solutions.co.uk> wrote:

> On Monday 28 October 2002 5:32 am, yenjet.chan@eglobal.com.my wrote:
> 
> > Hi all,
> >
> > This is my first post to the list, so please bare with me.
> > I have a requirement here. Is there possible to create a purely NAT
> > iptables rules for certain IP addresses?
> 
> No.   You can turn off stateful inspection by not loading or compiling the 
> connection tracking support, but you cannot use it for some addresses but not 
> others.

Are you sure? By not using "-m state" it might actually work, how about:
iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.eee -j ACCEPT
iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.ddd -m state --state ! INVALID -j ACCEPT

Re: Purely NAT

[Antony Stone]

On Monday 28 October 2002 6:37 pm, Anthony Liu wrote:

> On Mon, 28 Oct 2002 14:44:43 +0000 Antony Stone 
<Antony@Soft-Solutions.co.uk> wrote:
> > On Monday 28 October 2002 5:32 am, yenjet.chan@eglobal.com.my wrote:
> > > Hi all,
> > >
> > > This is my first post to the list, so please bare with me.
> > > I have a requirement here. Is there possible to create a purely NAT
> > > iptables rules for certain IP addresses?
> >
> > No.   You can turn off stateful inspection by not loading or compiling
> > the connection tracking support, but you cannot use it for some addresses
> > but not others.
>
> Are you sure? By not using "-m state" it might actually work, how about:
> iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.eee -j ACCEPT
> iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.ddd -m state --state ! INVALID
> -j ACCEPT

This will allow you to create rules which do not refer to stateful 
inspection, agreed, but it doesn't stop netfilter from maintaining the 
connection tracking table for those connections.

Since the original poster wanted to increase the efficiency of netfilter by 
avoiding the overhead of maintaining the connection tracking table, simply 
writing rules which do not use -m state doesn't help.

Antony.

-- 

The difference between theory and practice is that
in theory there is no difference, whereas in practice there is.

Re: Purely NAT

[Jet (jchan@trusecure.com)]

>
> How much memory is in the netfilter machine / what size is your conntrack
> table / how many connections are you generating with your portscans for
this
> to be a problem ?

This is not a matter of the number of connection generated by the
portscanner.
But the type of scanning option.
If you turn on stateful filtering, and you try to scan a class B (or
multiple class C) address
using "nmap -sS", then you are in trouble.

According to iptables source code, you will have to wait for five days for
timeout.

FYI, my machine is 64MB and I know it is default to 4K connection. I tried
to increase it
to 64K, and I get other process being killed (the OOM bug), sometime the
machine hang.
This is kernel-2.4.18.

Even I put in more RAM let say 512MB/1GB. The maximum of the connection
table is
only 64K. (Correct me if I'm wrong).
I point here is any iptables with 64K limitation on connection table can be
easily
DOS by a scanning (using the either "nmap -sS" or "nmap -sA" ).



.//Jet

Re: Purely NAT

[Alexey Talikov]

Hello Jet,

See raw patch from patch-o-matic in userspase directory

-----------------------------------
mailto:alexey_talikov@texlab.com.uz
BR
Alexey Talikov
FORTEK
-----------------------------------

Re: Purely NAT

[Jet]

Thanks. But I forget to mention that NAT is required.
Seems like this is what I want except it will omit the NAT functionality.

For those who want to take a look what this POM provides, pls refer to 
http://www.netfilter.org/documentation/pomlist/pom-userspace.html

.//Jet


> Hello Jet,
> 
> See raw patch from patch-o-matic in userspase directory
> 
> -----------------------------------