Re: DNAT rule requires extra firewall pinhole

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Jeff Weber a écrit :
> I've setup DNAT on gateway such that external clients connecting to TCP port 
> $SCADA_PORT on the gateway are actually connected to the node $MCB_IP on a 
> private network.  Here's my rule:
> 
>  $IPTABLES -t nat -A PREROUTING -p tcp -d $DAS_SCADA_IP --dport $SCADA_PORT \
>         -i $DAS_SCADA_IF -j DNAT --to $MCB_IP:$SCADA_PORT
> 
> I've added a firewall rule to block external requests to forward through the 
> gateway:
> 
> $IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j DROP
> 
> The trouble is, I just found out that the above firewall rule is not 
> compatible with my DNAT rule.

Indeed. The TCP SYN packet arrives on $DAS_SCADA_IF, so it matches the rule.

> That is, DNAT rewrites the destination IP [as 
> it should] to the $MCB_IP, then forwards the packet, which then encounters 
> the new firewall rule, and is dropped.

Actually DNAT only rewrites the destination and does nothing more. It is 
the routing decision which forwards the packet.

> So I preceeded the above firewall rule with another rule:
> $IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF -s $SCADANET -d $MCB_IP \
>     --dport $SCADA_PORT -j ACCEPT
> 
> which enables the DNAT to work again.  However, a side effect is that now 
> external nodes on $SCADANET can forward port=$SCADA_PORT to IP=$MCB_IP 
> directly through the firewall.

Yes, this is a known side effect. Like you I used to worry about it but 
not any more now, considering that accesses via either the internal and 
external addresses have exactly the same effects. Besides, one has to 
know about the internal address in order to use it, so why hide it ?

> Granted this is a small pinhole, but I'd like 
> to plug it if possible.  I would think that it should be possible to prevent 
> all external nodes from forwarding through the firewall, and to prevent 
> external hosts from directly "seeing" an internal node on the private net.

I can think of the following options :

- Drop packets which match "-d $MCB_IP" in the mangle/PREROUTING chain. 
The mangle table is not the preffered way for filtering (you cannot use 
REJECT there) but it works. Do not use the nat table for filtering.

- MARK packets which match "-p tcp -d $DAS_SCADA_IP --dport $SCADA_PORT" 
in the mangle/PREROUTING, then DNAT the marked packet in the 
nat/PREROUTING chain and ACCEPT them in the filter/FORWARD table before 
the DROP rule. Or MARK the packets which do not match, don't DNAT them 
and DROP/REJECT them.

- In the filter/FORWARD chain, ACCEPT only packets matching
"-m conntrack --ctstate DNAT --ctorigdst $DAS_SCADA_IP", that is with 
the external original destination address.