NetBIOS dgm NAT Helper

NetBIOS dgm NAT Helper

[John A. Sullivan III]

We have encountered an unusual situation where NetBIOS datagram packets
(138/udp) are being passed through an IPSec tunnel on an iptables
firewall but they are also being NATted by the same firewall.  It
appears there is IP information embedded in the NetBIOS header.  Thus
NAT causes this protocol to break because the reply packets are sent to
the original IP address in the NetBIOS header rather than the NAT IP
address in the IP header.

I believe Cisco does have a NAT helper for NetBIOS but I have not seen
anything for iptables.  Is there such a helper? Is there anyway for an
iptables firewall to NAT NetBIOS datagram packets? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: NetBIOS dgm NAT Helper

[Rafa Garrido]

It can that this patch of the last week help you:
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2859
It will be necessary to hope to that stable kernel appears.
Greetings.


On 9/16/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> We have encountered an unusual situation where NetBIOS datagram packets
> (138/udp) are being passed through an IPSec tunnel on an iptables
> firewall but they are also being NATted by the same firewall.  It
> appears there is IP information embedded in the NetBIOS header.  Thus
> NAT causes this protocol to break because the reply packets are sent to
> the original IP address in the NetBIOS header rather than the NAT IP
> address in the IP header.
> 
> I believe Cisco does have a NAT helper for NetBIOS but I have not seen
> anything for iptables.  Is there such a helper? Is there anyway for an
> iptables firewall to NAT NetBIOS datagram packets? Thanks - John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> If you would like to participate in the development of an open source
> enterprise class network security management system, please visit
> http://iscs.sourceforge.net
> 
> 
>

Re: NetBIOS dgm NAT Helper

[John A. Sullivan III]

Thank you but I don't think this helps.  It looks like it is for the
name service rather than the datagram service.  I would think such a
help would need to rewrite the embedded IP in the NetBIOS header and
recalculate any checksumming - John

On Sat, 2005-09-17 at 02:53 +0200, Rafa Garrido wrote:
> It can that this patch of the last week help you:
> http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2859
> It will be necessary to hope to that stable kernel appears.
> Greetings.
> 
> 
> On 9/16/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> > We have encountered an unusual situation where NetBIOS datagram packets
> > (138/udp) are being passed through an IPSec tunnel on an iptables
> > firewall but they are also being NATted by the same firewall.  It
> > appears there is IP information embedded in the NetBIOS header.  Thus
> > NAT causes this protocol to break because the reply packets are sent to
> > the original IP address in the NetBIOS header rather than the NAT IP
> > address in the IP header.
> > 
> > I believe Cisco does have a NAT helper for NetBIOS but I have not seen
> > anything for iptables.  Is there such a helper? Is there anyway for an
> > iptables firewall to NAT NetBIOS datagram packets? Thanks - John
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> > 
> > If you would like to participate in the development of an open source
> > enterprise class network security management system, please visit
> > http://iscs.sourceforge.net
> > 
> > 
> >
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: NetBIOS dgm NAT Helper

[Rafa Garrido]

On 9/17/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> Thank you but I don't think this helps.  It looks like it is for the
> name service rather than the datagram service.  I would think such a
> help would need to rewrite the embedded IP in the NetBIOS header and
> recalculate any checksumming - John

Sorry, have you tested this module?
http://suif.stanford.edu/~csapuntz/ip_nat_netbios.c
The only thing is that this module don't consider if it is a NetBios
package or no, assumes that if it comes from udp-port 138 is a NetBios
package.


> 
> On Sat, 2005-09-17 at 02:53 +0200, Rafa Garrido wrote:
> > It can that this patch of the last week help you:
> > http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2859
> > It will be necessary to hope to that stable kernel appears.
> > Greetings.
> >
> >
> > On 9/16/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> > > We have encountered an unusual situation where NetBIOS datagram packets
> > > (138/udp) are being passed through an IPSec tunnel on an iptables
> > > firewall but they are also being NATted by the same firewall.  It
> > > appears there is IP information embedded in the NetBIOS header.  Thus
> > > NAT causes this protocol to break because the reply packets are sent to
> > > the original IP address in the NetBIOS header rather than the NAT IP
> > > address in the IP header.
> > >
> > > I believe Cisco does have a NAT helper for NetBIOS but I have not seen
> > > anything for iptables.  Is there such a helper? Is there anyway for an
> > > iptables firewall to NAT NetBIOS datagram packets? Thanks - John
> > > --
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > >
> > > If you would like to participate in the development of an open source
> > > enterprise class network security management system, please visit
> > > http://iscs.sourceforge.net
> > >
> > >
> > >
> >
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> Financially sustainable open source development
> http://www.opensourcedevel.com
> 
>

Re: NetBIOS dgm NAT Helper

[John A. Sullivan III]

On Sat, 2005-09-17 at 14:01 +0200, Rafa Garrido wrote:
> On 9/17/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> > Thank you but I don't think this helps.  It looks like it is for the
> > name service rather than the datagram service.  I would think such a
> > help would need to rewrite the embedded IP in the NetBIOS header and
> > recalculate any checksumming - John
> 
> Sorry, have you tested this module?
> http://suif.stanford.edu/~csapuntz/ip_nat_netbios.c
> The only thing is that this module don't consider if it is a NetBios
> package or no, assumes that if it comes from udp-port 138 is a NetBios
> package.
> 
<snip>
Thanks.  That looks like what we need.  What is its status within
netfilter? Is it being considered for inclusion? Is it available with
netfilter's blessing and support or is it just something that someone
put together for their own needs but is unmaintained and unsupported?
Thanks again - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: NetBIOS dgm NAT Helper

[Rafa Garrido]

On 9/17/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> On Sat, 2005-09-17 at 14:01 +0200, Rafa Garrido wrote:
> > On 9/17/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> > > Thank you but I don't think this helps.  It looks like it is for the
> > > name service rather than the datagram service.  I would think such a
> > > help would need to rewrite the embedded IP in the NetBIOS header and
> > > recalculate any checksumming - John
> >
> > Sorry, have you tested this module?
> > http://suif.stanford.edu/~csapuntz/ip_nat_netbios.c
> > The only thing is that this module don't consider if it is a NetBios
> > package or no, assumes that if it comes from udp-port 138 is a NetBios
> > package.
> >
> <snip>
> Thanks.  That looks like what we need.  What is its status within
> netfilter? Is it being considered for inclusion? Is it available with
> netfilter's blessing and support or is it just something that someone
> put together for their own needs but is unmaintained and unsupported?
> Thanks again - John

Hi John, this module is outside netfilter, and the only support is by
its author.
Greetings