Connection tracking Cli and an ALG for DNS

Connection tracking Cli and an ALG for DNS

[Bill]

I am looking at creating a DNS_ALG using netfilter connection tracking.  I 
believe I understand most of what is needed but am having problems testing 
the ideas using the Cli from the conntrack-tools package.

Basically I have a setup that looks like this, a NAT gateway (with DNS) a 
local host inside the NAT, and a remote host outside the NAT:

local host               dns/nat gateway              remote host
192.168.20.171      192.168.20.170                192.168.30.172
                              192.168.30.170
inside               ----->>> nat >>> ------          outside

Thus local host can connect to remote host and is natted thru the gateway, but 
remote host can't connect to local host as it is blocked by the NAT gateway.

What want ultimately is for remote to do a DNS on the gateway, and have the 
gateway configure the NAT to allow the incoming connection.  I want the 
connection to look as if local has initiated it, ie I want it natted so the 
connection is between the gateway and the remote host IPs on the outside.

Ultimately I want to program this into a DNS server or build a DNS_ALG, but 
for now I am just testing out the ideas and trying to test using the 
conntrack-tools, but I have having limited success.  I can add/delete/modify 
connections but I haven't been able to create a conntrack 'expectation'.

In the conntrack-tools there is a set of tests 'test.sh' file that has 
examples, and they work, but not the 'expectation', test as it is missing 
some options.

What I'd like to know is given the above example, where I'd like 
192.168.30.172 to connect to an expectation on 192.168.30.170 and be passed 
thru the NAT to 192.168.20.171, what are the right commends to use? 

I am pretty sure I need an 'expectation' and not a connection in one of the 
initial state machine states, but please correct me if I am wrong.

/bill

Re: [Bulk] Connection tracking Cli and an ALG for DNS

[Bill]

I've been looking at this a bit more and it occurs to me that it may be I 
don't need 'expect', but can use the regular connection tracking table.

So I have tried adding a connection that would allow me to traverse the NAT in 
the opposite direction but haven't had any success with this either.

conntrack -I -s 192.168.30.172 -d 192.168.20.171 -p tcp --sport 50000 --dport 
22 --state LISTEN -u SEEN_REPLY -t 600 --reply-src 192.168.20.171 --reply-dst 
192.168.20.170 --reply-port-src 22 --reply-port-dst 5000

I came up with the options by looking at an established connection in the 
other direction, so there is some guess work here.

If anyone can tell me definitively if I can use a connection or an expect to 
do what I want, as described below, I'd appreciate it.

/bill


On Wednesday 04 November 2015 13:32, Bill wrote:
> I am looking at creating a DNS_ALG using netfilter connection tracking.  I
> believe I understand most of what is needed but am having problems testing
> the ideas using the Cli from the conntrack-tools package.
>
> Basically I have a setup that looks like this, a NAT gateway (with DNS) a
> local host inside the NAT, and a remote host outside the NAT:
>
> local host               dns/nat gateway              remote host
> 192.168.20.171      192.168.20.170                192.168.30.172
>                               192.168.30.170
> inside               ----->>> nat >>> ------          outside
>
> Thus local host can connect to remote host and is natted thru the gateway,
> but remote host can't connect to local host as it is blocked by the NAT
> gateway.
>
> What want ultimately is for remote to do a DNS on the gateway, and have the
> gateway configure the NAT to allow the incoming connection.  I want the
> connection to look as if local has initiated it, ie I want it natted so the
> connection is between the gateway and the remote host IPs on the outside.
>
> Ultimately I want to program this into a DNS server or build a DNS_ALG, but
> for now I am just testing out the ideas and trying to test using the
> conntrack-tools, but I have having limited success.  I can
> add/delete/modify connections but I haven't been able to create a conntrack
> 'expectation'.
>
> In the conntrack-tools there is a set of tests 'test.sh' file that has
> examples, and they work, but not the 'expectation', test as it is missing
> some options.
>
> What I'd like to know is given the above example, where I'd like
> 192.168.30.172 to connect to an expectation on 192.168.30.170 and be passed
> thru the NAT to 192.168.20.171, what are the right commends to use?
>
> I am pretty sure I need an 'expectation' and not a connection in one of the
> initial state machine states, but please correct me if I am wrong.
>
> /bill
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Bulk] Connection tracking Cli and an ALG for DNS

[Adel Belhouane]

Le 06/11/2015 23:27, Bill a écrit :
> I've been looking at this a bit more and it occurs to me that it may be I
> don't need 'expect', but can use the regular connection tracking table.
>

[...]

> If anyone can tell me definitively if I can use a connection or an expect to
> do what I want, as described below, I'd appreciate it.
>
> /bill
>
>
> On Wednesday 04 November 2015 13:32, Bill wrote:
>> I am looking at creating a DNS_ALG using netfilter connection tracking.  I
>> believe I understand most of what is needed but am having problems testing
>> the ideas using the Cli from the conntrack-tools package.
>>
>> Basically I have a setup that looks like this, a NAT gateway (with DNS) a
>> local host inside the NAT, and a remote host outside the NAT:
>>
>> local host               dns/nat gateway              remote host
>> 192.168.20.171      192.168.20.170                192.168.30.172
>>                                192.168.30.170
>> inside               ----->>> nat >>> ------          outside
>>
>> Thus local host can connect to remote host and is natted thru the gateway,
>> but remote host can't connect to local host as it is blocked by the NAT
>> gateway.
>>
>> What want ultimately is for remote to do a DNS on the gateway, and have the
>> gateway configure the NAT to allow the incoming connection.  I want the
>> connection to look as if local has initiated it, ie I want it natted so the
>> connection is between the gateway and the remote host IPs on the outside.
>>
>> Ultimately I want to program this into a DNS server or build a DNS_ALG, but
>> for now I am just testing out the ideas and trying to test using the
>> conntrack-tools, but I have having limited success.  I can
>> add/delete/modify connections but I haven't been able to create a conntrack
>> 'expectation'.
>>

Do you just want 192.168.20.171, behind a NAT gateway, to be the DNS server
for outside? Can you confirm that's the case or is there something else?

>> In the conntrack-tools there is a set of tests 'test.sh' file that has
>> examples, and they work, but not the 'expectation', test as it is missing
>> some options.
>>
>> What I'd like to know is given the above example, where I'd like
>> 192.168.30.172 to connect to an expectation on 192.168.30.170 and be passed
>> thru the NAT to 192.168.20.171, what are the right commends to use?
>>
>> I am pretty sure I need an 'expectation' and not a connection in one of the
>> initial state machine states, but please correct me if I am wrong.
>>

Can't you simply use the iptables DNAT target? If not, can you explain why
it won't work for your case and for what reason you'd need something else?

>> /bill
>> --

regards,
Adel BELHOUANE.

Re: [Bulk] Connection tracking Cli and an ALG for DNS

[Adel Belhouane]

(I didn't reply to the original sender, my bad. So sending the same message again...)

Le 06/11/2015 23:27, Bill a écrit :
> I've been looking at this a bit more and it occurs to me that it may be I
> don't need 'expect', but can use the regular connection tracking table.
>

[...]

>
> If anyone can tell me definitively if I can use a connection or an expect to
> do what I want, as described below, I'd appreciate it.
>
> /bill
>
>
> On Wednesday 04 November 2015 13:32, Bill wrote:
>> I am looking at creating a DNS_ALG using netfilter connection tracking.  I
>> believe I understand most of what is needed but am having problems testing
>> the ideas using the Cli from the conntrack-tools package.
>>
>> Basically I have a setup that looks like this, a NAT gateway (with DNS) a
>> local host inside the NAT, and a remote host outside the NAT:
>>
>> local host               dns/nat gateway              remote host
>> 192.168.20.171      192.168.20.170                192.168.30.172
>>                                192.168.30.170
>> inside               ----->>> nat >>> ------          outside
>>
>> Thus local host can connect to remote host and is natted thru the gateway,
>> but remote host can't connect to local host as it is blocked by the NAT
>> gateway.
>>
>> What want ultimately is for remote to do a DNS on the gateway, and have the
>> gateway configure the NAT to allow the incoming connection.  I want the
>> connection to look as if local has initiated it, ie I want it natted so the
>> connection is between the gateway and the remote host IPs on the outside.
>>
>> Ultimately I want to program this into a DNS server or build a DNS_ALG, but
>> for now I am just testing out the ideas and trying to test using the
>> conntrack-tools, but I have having limited success.  I can
>> add/delete/modify connections but I haven't been able to create a conntrack
>> 'expectation'.
>>

Do you just want 192.168.20.171, behind a NAT gateway, to be the DNS server
for outside? Can you confirm that's the case or is there something else?

>> In the conntrack-tools there is a set of tests 'test.sh' file that has
>> examples, and they work, but not the 'expectation', test as it is missing
>> some options.
>>
>> What I'd like to know is given the above example, where I'd like
>> 192.168.30.172 to connect to an expectation on 192.168.30.170 and be passed
>> thru the NAT to 192.168.20.171, what are the right commends to use?
>>
>> I am pretty sure I need an 'expectation' and not a connection in one of the
>> initial state machine states, but please correct me if I am wrong.
>>

Can't you simply use the iptables DNAT target? If not, can you explain why
it won't work for your use case and for what reason you'd need something else?

>> /bill
>> --

regards,
Adel BELHOUANE

Re: Connection tracking Cli and an ALG for DNS

[Bill]

On Sunday 15 November 2015 13:45, Adel Belhouane wrote:
> (I didn't reply to the original sender, my bad. So sending the same message
> again...)
>
> Le 06/11/2015 23:27, Bill a écrit :

> Do you just want 192.168.20.171, behind a NAT gateway, to be the DNS server
> for outside? Can you confirm that's the case or is there something else?

Actually it is 192.168.30.171 that is a NAT gateway and the DNS server for the 
192.168.20.0 network.

> Can't you simply use the iptables DNAT target? If not, can you explain why
> it won't work for your use case and for what reason you'd need something
> else?
>

DNAT would give access to a specific host, but I want to refer to it by a DNS 
name for 2 reasons:

1)  The host I am going to connect may change it's IP address, or if it is a 
service being requested, it might be provided by another host if the network 
changes (I am looking at a mobile network where hosts may come and go, or 
other hosts may replace them in times of interruption).

2)  Since the DNS may return different IP's over time; I don't' want the IP in 
the local 192.168.20.0 network to be revealed.  Instead I want it to appear 
NATted, so it will be 192.168.30.170 + a port for this connection.  In other 
words I want it to look like the host on the 192.168.20.0 network initiated 
the connection.

For reference here is my diagram again:

> >> local host               dns/nat gateway              remote host
> >> 192.168.20.171      192.168.20.170                192.168.30.172
> >>                                192.168.30.170
> >> inside               ----->>> nat >>> ------          outside

As you can see, DNAT would no do for my requirements since I'd have to 
add/delete iptables rules, which I supposed I could do, but doesn't seem te 
right approach.

Now since my original posting I have been reading code and have manged to 
create an e'expect' connection by upgrading to the latest 4.4 kernel.  In 
this version I find the sample test 'create-expect' works.

After succeeding with this I realize I may need to build a kernel module for 
the expectation and have started looking at the kernel code for this, such as 
those for FTP etc.

/bill

Re: Connection tracking Cli and an ALG for DNS

[Adel Belhouane]

Le 19/11/2015 19:52, Bill a écrit :

> For reference here is my diagram again:
> 
>>>> local host               dns/nat gateway              remote host
>>>> 192.168.20.171      192.168.20.170                192.168.30.172
>>>>                                192.168.30.170
>>>> inside               ----->>> nat >>> ------          outside
> 
> As you can see, DNAT would no do for my requirements since I'd have to 
> add/delete iptables rules, which I supposed I could do, but doesn't seem te 
> right approach.
> 
> Now since my original posting I have been reading code and have manged to 
> create an e'expect' connection by upgrading to the latest 4.4 kernel.  In 
> this version I find the sample test 'create-expect' works.
> 
> After succeeding with this I realize I may need to build a kernel module for 
> the expectation and have started looking at the kernel code for this, such as 
> those for FTP etc.
> 
I didn't get before that the "ALG" part was essential. I read a summary here:
https://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/security-alg-dns-overview.html

So I still don't get exactly what you are looking for (sorry), but I realize
it's related to DNS data content, not just connections. Sorry to have
waisted your time with my replies and good luck with your project.

> /bill
> 

regards,
Adel BELHOUANE.

Re: Connection tracking Cli and an ALG for DNS

[Bill]

No worries, your comments got me thinking more about my problem, which is 
always a good thing, thanks again.

/bill


On Wednesday 02 December 2015 06:12, Adel Belhouane wrote:
> Le 19/11/2015 19:52, Bill a écrit :
> > For reference here is my diagram again:
> >>>> local host               dns/nat gateway              remote host
> >>>> 192.168.20.171      192.168.20.170                192.168.30.172
> >>>>                                192.168.30.170
> >>>> inside               ----->>> nat >>> ------          outside
> >
> > As you can see, DNAT would no do for my requirements since I'd have to
> > add/delete iptables rules, which I supposed I could do, but doesn't seem
> > te right approach.
> >
> > Now since my original posting I have been reading code and have manged to
> > create an e'expect' connection by upgrading to the latest 4.4 kernel.  In
> > this version I find the sample test 'create-expect' works.
> >
> > After succeeding with this I realize I may need to build a kernel module
> > for the expectation and have started looking at the kernel code for this,
> > such as those for FTP etc.
>
> I didn't get before that the "ALG" part was essential. I read a summary
> here:
> https://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/sec
>urity-alg-dns-overview.html
>
> So I still don't get exactly what you are looking for (sorry), but I
> realize it's related to DNS data content, not just connections. Sorry to
> have waisted your time with my replies and good luck with your project.
>
> > /bill
>
> regards,
> Adel BELHOUANE.