From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: Nat and firewall holes
Date: Mon, 22 Mar 2010 18:12:25 +0100 [thread overview]
Message-ID: <4BA7A4F9.6020001@plouf.fr.eu.org> (raw)
In-Reply-To: <cfeab66d1003220846h20c255d4u280ada41d2df1a2b@mail.gmail.com>
ratheesh k a écrit :
>
> I have a linux machine'( say B ) with two interfaces ( eth0
> -192.168.1.1 and eth1 - 192.168.55.1 ) .This linux machine works as a
> gateway machine . eth0 is connected to LAN network and eth1 is
> connected to WAN network . below rules are applied on the gateway
> machine .,
>
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -i eth1 -j DROP
>
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -j DROP
Hmm, not sure that dropping everything received on eth1 is a good idea.
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE .
>
>
> LAN ---> eth0 : Gateway linux machine :eth1 ---> WAN
>
> We have machine called A , connected to LAN network and is assigned an
> ip 192.168.1.100 and its gateway is machine B's eth0 interface (
> 192.168.1.1 ) .
> if i access "google.com " from machine A , syn packet with dest ip as
> a.b.c.d ( google.com ip ) and dest port 80 will go to machine B
> (default gateway ) . Since we are masquerading all the packets , it
> will change source ip with 192.168.55.1 and source port with some
> random port ( say portx ) .
MASQUERADE won't change the source port unless specified otherwise by
--random or --to-ports options, or if it is necessary in order to avoid
a "collision" with an existing connection (e.g. two clients connecting
to the same server with the same source port). See iptables man page.
> Packets from server will be having
> 192.18.55.1 ip and port as portx . This will be changed to original ip
> and port by conntrack module .
Actually the conntrack module will only associate the packet to the
existing connection, and the nat module will change the addresses and ports.
> My qustion is : if i create a packet with source ip as 192.168.55.1
> and dest port as portx , can i get into the machine B from WAN side .
Do you mean machine A (the client) ?
If a crafted packet matches all the characteristics of the conntrack
entry for that connection (including reply source port 80, TCP sequence
number), then it will be considered belonging to the reply direction of
that connection and the NAT will process it accordingly.
next prev parent reply other threads:[~2010-03-22 17:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-22 15:46 Nat and firewall holes ratheesh k
2010-03-22 16:10 ` Jan Engelhardt
2010-03-22 17:12 ` Pascal Hambourg [this message]
2010-03-22 17:27 ` ratheesh k
2010-03-22 17:39 ` Pascal Hambourg
2010-03-22 17:43 ` ratheesh k
2010-03-22 19:40 ` Pascal Hambourg
2010-03-23 7:20 ` ratheesh k
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BA7A4F9.6020001@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.