Stateless NAT

Stateless NAT

[Matin Tamizi]

I'm trying to setup stateless NAT on a testbed I'm using for
university research on DDoS.  We are developing a stateless DDoS
prevention tool, but to test the software I need to use stateless NAT
to force traffic from outside through one computer, the router, and to
the victim.

I tried the NETMAP target module, but the router is still filtering my
out of state packets from the attack.  The following show the rules in
my nat table:

root # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
NETMAP     all  --  anywhere             <victim's ip address> 192.168.13.2/32

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.13.2         anywhere           
to:<victim's ip address>

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I appreciate any suggestions on how I could correct my setup so I can
use stateless.

Re: Stateless NAT

[Feizhou]

> I appreciate any suggestions on how I could correct my setup so I can
> use stateless.
> 

You don't use netfilter. You use iproute2.

http://linux-ip.net/html/nat-stateless.html

Re: Stateless NAT

[Guenter.Sprakties]

netfilter-bounces@lists.netfilter.org schrieb am 08.06.2005 03:40:36:

> 
> > I appreciate any suggestions on how I could correct my setup so I can
> > use stateless.
> > 
> 
> You don't use netfilter. You use iproute2.
> 
> http://linux-ip.net/html/nat-stateless.html
> 

First your right, iproute2 is the best tool managing simple 1:1 NAT. 

Second, is doesn't work because some guys decided to remove the necessary 
code out of the kernel.
So you HAVE to use netfolter, and I tell you:

First again, it didn't work. Second, no one of the guys out there helps 
you. I tried to get help, but nothing happend.
I think, natting is against their religion or something like this.

Take an old kernel and use iproute2, the most genial tool in all the net 
stuff.

Re: Stateless NAT

[codewarrior]

On Jun 8, 2005, at 8:56 AM, Guenter.Sprakties@team4.de wrote:
>> You don't use netfilter. You use iproute2.
>>
>> http://linux-ip.net/html/nat-stateless.html
> First your right, iproute2 is the best tool managing simple 1:1 NAT.
> Second, is doesn't work because some guys decided to remove the  
> necessary
> code out of the kernel.
> So you HAVE to use netfolter, and I tell you:
> First again, it didn't work. Second, no one of the guys out there  
> helps
> you. I tried to get help, but nothing happend.
> I think, natting is against their religion or something like this.
> Take an old kernel and use iproute2, the most genial tool in all  
> the net
> stuff.


hello guenter,

thanks you for your answer , so i heard that it is
not possible to run iproute2 under osx right ?

i got a script from my ISP
http://www.xaranet.de/dl/xaranet-tunnel.sh

but you need iproute2  so there is no way  ?


regards

marc


********************************************************
opencuseeme /  peer2peer multiparty conferencing
********************************************************
Marc Manthey
D - 50672 Cologne
West Europe
office: 0049.221.355.80.32
mobile: 0049.177.341.54.81
www.let.de
www.applehelpers.com
aim://macfreak2004
macfreak@jabber.org

Re: Stateless NAT

[Matin Tamizi]

Why can't we create a new target module to support stateless NAT for
NetFilter like the following link suggests?
https://lists.netfilter.org/pipermail/netfilter/2005-February/058950.html

I tried writing a target module, but I'm a bit baffled by how the
target modules work.  The existing target modules don't seem to have
any source to modify the packets.   If this is possible then the
NETMAP module should already do the job.  Assuming the NETMAP target
module does what its description states.

We should also be able to write a stateless NAT program using libipq. 
Even FreeBSD uses a user space program for NAT by using the divert
socket api.  However, I don't how to define any order in the programs
grabbing packets from the QUEUE.  In FreeBSD, instead of queueing the
packet is rerouted to an internal "divert" port which can be binded to
using the standard socket API, but divert socket are more expensive
than the NetFilter QUEUE solution.

I've found another solution to my problem without having to use NAT,
but it would have been nice if I could have used NAT since my solution
is rather contrived.

-Matin

On 6/8/05, codewarrior@cuseeme.de <codewarrior@cuseeme.de> wrote:
> 
> On Jun 8, 2005, at 8:56 AM, Guenter.Sprakties@team4.de wrote:
> >> You don't use netfilter. You use iproute2.
> >>
> >> http://linux-ip.net/html/nat-stateless.html
> > First your right, iproute2 is the best tool managing simple 1:1 NAT.
> > Second, is doesn't work because some guys decided to remove the
> > necessary
> > code out of the kernel.
> > So you HAVE to use netfolter, and I tell you:
> > First again, it didn't work. Second, no one of the guys out there
> > helps
> > you. I tried to get help, but nothing happend.
> > I think, natting is against their religion or something like this.
> > Take an old kernel and use iproute2, the most genial tool in all
> > the net
> > stuff.
> 
> 
> hello guenter,
> 
> thanks you for your answer , so i heard that it is
> not possible to run iproute2 under osx right ?
> 
> i got a script from my ISP
> http://www.xaranet.de/dl/xaranet-tunnel.sh
> 
> but you need iproute2  so there is no way  ?
> 
> 
> regards
> 
> marc
> 
> 
> ********************************************************
> opencuseeme /  peer2peer multiparty conferencing
> ********************************************************
> Marc Manthey
> D - 50672 Cologne
> West Europe
> office: 0049.221.355.80.32
> mobile: 0049.177.341.54.81
> www.let.de
> www.applehelpers.com
> aim://macfreak2004
> macfreak@jabber.org
> 
> 
> 
> 
> 
>

Re: Stateless NAT

[Matin Tamizi]

On 7/28/05, Dharanikanth Dugginni <dharanikanthd@gmail.com> wrote:
> Hello Matin,
> 
> I saw a post from you about Stateless NAT in linux and you concluded
> saying you found some solution, I am trying to do some thing similar
> to that, would you mind sharing the approach you have taken??
> 
> Thanks,
> -Dhar
> 

I had a *real* special situation since I'm doing this just for a
testbed.  I was able to get around stateless NAT by using ARP
poisoning to force a certain network topology.  This approach will
work but is not scalable and not recommended.

IMHO, you have the following options:
 1. Use a different firewall -- I'm sure you've heard suggestion before.
 2. Create a target module -- I couldn't figure out how to do this for
a static NAT, so please let me know if you do
 3. QUEUE the packets you want to NAT and use libipq to do the static NATing
 4. ARP poisoning (spoofing)

Let me know if you want me to post more information about 3 or 4.

-Matin

Stateless NAT

[John A. Sullivan III]

Thanks to some help from Philip Craig of SnapGear, I'm still alive on
this issue of UDP broadcast helping using iptables.  The next problem is
creating the stateless NAT that I need.  My first choice would be to do
this with iproute2 but it appears to be broken in the 2.6 kernel.

I next tried doing this by using the raw table and NOTRACK target for
udp broadcasts on the needed port and then DNAT on the same packets to
the unicast address.  However, apparently NOTRACK disables NAT so that
didn't work.  When using conntrack for most packets, how does one
disable conntrack for certain NAT packets only? In other words, how does
one do selective, stateless NAT in iptables? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: Stateless NAT

[Jozsef Kadlecsik]

On Thu, 24 Feb 2005, John A. Sullivan III wrote:

> Thanks to some help from Philip Craig of SnapGear, I'm still alive on
> this issue of UDP broadcast helping using iptables.  The next problem is
> creating the stateless NAT that I need.  My first choice would be to do
> this with iproute2 but it appears to be broken in the 2.6 kernel.
>
> I next tried doing this by using the raw table and NOTRACK target for
> udp broadcasts on the needed port and then DNAT on the same packets to
> the unicast address.  However, apparently NOTRACK disables NAT so that
> didn't work.  When using conntrack for most packets, how does one
> disable conntrack for certain NAT packets only? In other words, how does
> one do selective, stateless NAT in iptables? Thanks - John

You cannot do NAT without conntrack, because NAT in netfilter is built on
the top of conntrack. By the NOTRACK target you disable conntrack for
the selected packets thus disable NAT as well.

Currently there is no way to define stateless NAT in netfilter. That is
the bad news. The good one is that however one could write a stateless NAT
target module, nothing prevents that.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Stateless NAT

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1271 bytes --]


Hi Jozsef, Hi John,

On Thu, Feb 24, 2005 at 05:43:12PM +0100, Jozsef Kadlecsik told us:
> You cannot do NAT without conntrack, because NAT in netfilter is built on
> the top of conntrack. By the NOTRACK target you disable conntrack for
> the selected packets thus disable NAT as well.
> 
> Currently there is no way to define stateless NAT in netfilter. That is
> the bad news. The good one is that however one could write a stateless NAT
> target module, nothing prevents that.

in 2.4 kernels there was a possibility to do "dumb NAT", i.e. NAT
without connection tracking, which could be configured with the
ip utility if I remember correctly. Unfortunately, this dumb NAT
has been removed from the 2.6 kernel because it was broken (I think
due to the ipsec/xfrm changes, again IIRC :-) )


Sven

> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
> 
> 

-- 
Linux zion 2.6.11-rc3-mm2 #1 Mon Feb 21 00:29:04 CET 2005 i686 athlon i386 GNU/Linux
 17:51:51 up 3 days, 17:02,  1 user,  load average: 0.01, 0.01, 0.00

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Stateless NAT

[Jozsef Kadlecsik]

Hi,

On Thu, 24 Feb 2005, Sven Schuster wrote:

> On Thu, Feb 24, 2005 at 05:43:12PM +0100, Jozsef Kadlecsik told us:
> > You cannot do NAT without conntrack, because NAT in netfilter is built on
> > the top of conntrack. By the NOTRACK target you disable conntrack for
> > the selected packets thus disable NAT as well.
> >
> > Currently there is no way to define stateless NAT in netfilter. That is
> > the bad news. The good one is that however one could write a stateless NAT
> > target module, nothing prevents that.
>
> in 2.4 kernels there was a possibility to do "dumb NAT", i.e. NAT
> without connection tracking, which could be configured with the
> ip utility if I remember correctly. Unfortunately, this dumb NAT
> has been removed from the 2.6 kernel because it was broken (I think
> due to the ipsec/xfrm changes, again IIRC :-) )

Yes, but iproute2 works outside of the netfilter framework. The original
question was how to perform stateless that by netfilter.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary