Re: Redirection to local lan, isn't DNAT method unsafe.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Bo Jacobsen" <subs@systemhouse.dk>
To: netfilter@lists.netfilter.org
Subject: Re: Redirection to local lan, isn't DNAT method unsafe.
Date: Thu, 1 Apr 2004 14:43:00 +0200	[thread overview]
Message-ID: <051601c417e6$e6395350$de0aa8c0@comp> (raw)
In-Reply-To: 200404011055.45703.Antony@Soft-Solutions.co.uk

> > > Well, DNAT is normally used to map externally-accessible public IPs to
> > > real internal systems on non-routable 10.x.y.z, 172.16.a.b or 192.168.c.d
> > > addresses, therefore the problem never arises (since people across the
> > > Internet can't send packets to the real private addresses even if they
> > > knew what they were).
> > >
> > > There isn't a "better" way to redirect traffic to other IP addresses,
> > > however why do you think it's a problem for people to use the "real"
> > > address instead of the one you're telling them to use.   They have access
> > > to the machine, so why does it really matter which address they use to
> > > connect to it?
> >
> > The problem is that many hosts, with this setup, actually is connected to
> > the internet using a public ip, and beeing able to resolve internal
> > ip-information is not good.
> 
> Now I'm confused.   (Easily done...)
> 
> Were the 192.168.x.y addresses you gave in your original posting accurate, or 
> just examples, and you are now saying that the source machines are actually 
> systems out on the Internet somewhere with real public IPs?
> 
> Please clarify - who are you worried about discovering the real internal IP 
> addresses of your machines, and where are they located on the network?   Can 
> they really send packets to the private IP address as you outlined in your 
> original posting?
> 
> My expectation is that people "out on the Internet" cannot connect to your 
> private IPs (because the addresses are non-routable), therefore the question 
> doesn't arise for them.   People associated with your local network (ie: 
> inside your connection point to the Internet) surely aren't a problem even if 
> they do discover the real private IP address?   Or am I missing something 
> here about what you are trying to secure from whom?
> 
> Hope that's clear....
> 
> Regards,
> 
> Antony.
> 

Well, the setup is used on a number of hosts located in a number of different 
environments. Some have public ip's, some don't. 

> inside your connection point to the Internet) surely aren't a problem even if 
> they do discover the real private IP address?   Or am I missing something 
That just true in a very simple setup. If different people/compagnies are sharing 
a "backbone" (using maybe 192.168.1.0 as the lan behind a commen internet router)
the problem is maybe not an internet problem, but an "internal" problem. Should
one trust all the other compagnies on the backbone, of course not.
So the general rule is ALWAYS to stop any leaking if it's possible.

I have solved the problem by always running a second -j DROP rule in the 
PREROUTING chain (as you suggested).


Bo

next prev parent reply	other threads:[~2004-04-01 12:43 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-30 12:46 Redirecting ports on localhost Fabiano Bonin
2004-03-30 13:00 ` David Cannings
2004-04-01  8:25 ` Redirection to local lan, isn't DNAT method unsafe Bo Jacobsen
2004-04-01  8:37   ` Antony Stone
2004-04-01  8:55     ` Bo Jacobsen
2004-04-01  9:05       ` Antony Stone
2004-04-01  9:42         ` Bo Jacobsen
2004-04-01  9:55           ` Antony Stone
2004-04-01 12:43             ` Bo Jacobsen [this message]
2004-04-01 22:20             ` Unknown, Alistair Tonner
     [not found]             ` <200404011720.57604.Alistair Tonner <>
2004-04-01 22:52               ` Antony Stone
2004-04-22  3:49   ` Alexander Samad

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='051601c417e6$e6395350$de0aa8c0@comp' \
    --to=subs@systemhouse.dk \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.