DNAT hiding routers behind it

DNAT hiding routers behind it

[Simon Lodal]

I am traceroute'ing a DNAT'ed host. Surprisingly, all routers between 
the DNAT'ing firewall and the host appear as the IP address I am 
traceroute'ing. Is this intended? Can it be controlled in some way? (it 
is not necessarily bad)

Example:
traceroute to 217.116.235.62 (217.116.235.62), 30 hops max, 38 byte packets
  1  192.168.0.2 (192.168.0.2)  4.152 ms  0.875 ms  0.865 ms
  2  217.116.235.62 (217.116.235.62)  1.928 ms  1.272 ms  1.430 ms
  3  217.116.235.62 (217.116.235.62)  2.013 ms  2.338 ms  2.330 ms

Line 1: DNAT'ing firewall.
Line 2: A router.
Line 3: DNAT'ed host.

I would the expect the router to show up with it's own IP address, not 
the original target address.


Simon

Re: DNAT hiding routers behind it

[Dick St.Peters]

Simon Lodal writes:
> I am traceroute'ing a DNAT'ed host. Surprisingly, all routers between 
> the DNAT'ing firewall and the host appear as the IP address I am 
> traceroute'ing. Is this intended? Can it be controlled in some way? (it 
> is not necessarily bad)
> 
> Example:
> traceroute to 217.116.235.62 (217.116.235.62), 30 hops max, 38 byte packets
>   1  192.168.0.2 (192.168.0.2)  4.152 ms  0.875 ms  0.865 ms
>   2  217.116.235.62 (217.116.235.62)  1.928 ms  1.272 ms  1.430 ms
>   3  217.116.235.62 (217.116.235.62)  2.013 ms  2.338 ms  2.330 ms
> 
> Line 1: DNAT'ing firewall.
> Line 2: A router.
> Line 3: DNAT'ed host.

Is the router a small Linksys router?  They do this without being
behind a firewall or NAT box.

--
Dick St.Peters, stpeters@NetHeaven.com 

Re: DNAT hiding routers behind it

[Simon Lodal]

No Linksys here, the firewall is a linux PC, the "router" is an Extreme 
Networks Summit 200 switch that acts like a router.

I do not think it matters. Point is that the router sends an icmp 
ttl-exceeded, which the firewall apparently considers part of the 
connection, and therefore does reverse DNAT on.

My problem is why it does that, and if it can be avoided.


Simon


Dick St.Peters skrev:
> Simon Lodal writes:
> 
>>I am traceroute'ing a DNAT'ed host. Surprisingly, all routers between 
>>the DNAT'ing firewall and the host appear as the IP address I am 
>>traceroute'ing. Is this intended? Can it be controlled in some way? (it 
>>is not necessarily bad)
>>
>>Example:
>>traceroute to 217.116.235.62 (217.116.235.62), 30 hops max, 38 byte packets
>>  1  192.168.0.2 (192.168.0.2)  4.152 ms  0.875 ms  0.865 ms
>>  2  217.116.235.62 (217.116.235.62)  1.928 ms  1.272 ms  1.430 ms
>>  3  217.116.235.62 (217.116.235.62)  2.013 ms  2.338 ms  2.330 ms
>>
>>Line 1: DNAT'ing firewall.
>>Line 2: A router.
>>Line 3: DNAT'ed host.
> 
> 
> Is the router a small Linksys router?  They do this without being
> behind a firewall or NAT box.
> 
> --
> Dick St.Peters, stpeters@NetHeaven.com 

Re: DNAT hiding routers behind it

[Antony Stone]

On Friday 06 August 2004 10:08 pm, Simon Lodal wrote:

> No Linksys here, the firewall is a linux PC, the "router" is an Extreme
> Networks Summit 200 switch that acts like a router.
>
> I do not think it matters. Point is that the router sends an icmp
> ttl-exceeded, which the firewall apparently considers part of the
> connection, and therefore does reverse DNAT on.
>
> My problem is why it does that, and if it can be avoided.

My guess is that you have a MASQUERADE rule with no interface specified - so 
packets get the source address of the firewall whether they're going out or 
coming in?

Make sure you specify "-o eth0" or "-o ppp0" or whatever your external 
interface is called.

If not that, post your ruleset so we can have a further think...

Regards,

Antony.

> Dick St.Peters skrev:
> > Simon Lodal writes:
> >>I am traceroute'ing a DNAT'ed host. Surprisingly, all routers between
> >>the DNAT'ing firewall and the host appear as the IP address I am
> >>traceroute'ing. Is this intended? Can it be controlled in some way? (it
> >>is not necessarily bad)
> >>
> >>Example:
> >>traceroute to 217.116.235.62 (217.116.235.62), 30 hops max, 38 byte
> >> packets 1  192.168.0.2 (192.168.0.2)  4.152 ms  0.875 ms  0.865 ms
> >>  2  217.116.235.62 (217.116.235.62)  1.928 ms  1.272 ms  1.430 ms
> >>  3  217.116.235.62 (217.116.235.62)  2.013 ms  2.338 ms  2.330 ms
> >>
> >>Line 1: DNAT'ing firewall.
> >>Line 2: A router.
> >>Line 3: DNAT'ed host.
> >
> > Is the router a small Linksys router?  They do this without being
> > behind a firewall or NAT box.
> >
> > --
> > Dick St.Peters, stpeters@NetHeaven.com

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: DNAT hiding routers behind it

[Simon Lodal]

> My guess is that you have a MASQUERADE rule with no interface specified - so 
> packets get the source address of the firewall whether they're going out or 
> coming in?
> 
> Make sure you specify "-o eth0" or "-o ppp0" or whatever your external 
> interface is called.
> 
> If not that, post your ruleset so we can have a further think...

Testcase, as simple as possible:
pc has 10.44.252.2
fw has 10.44.252.1 on inside (vmnet2), 10.44.8.10 on outside (eth0).

On outside of fw there is a chain of routers; 10.44.8.1 => 192.168.44.1, 
which is again connected to both 192.168.1.11 and 192.168.2.11 which 
I'll use below.

masquerading or snat (tried both, no difference):
root@fw # iptables -t nat -A POSTROUTING -o eth0 -s 10.44.252.2 -j SNAT 
--to-source 10.44.8.10

No other iptables rules are defined yet.

simonl@pc $ traceroute -q1 -I 192.168.1.11
traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
  1  10.44.252.1 (10.44.252.1)  4.297 ms
  2  10.44.8.1 (10.44.8.1)  3.892 ms
  3  192.168.44.1 (192.168.44.1)  4.826 ms
  4  192.168.1.11 (192.168.1.11)  5.095 ms

All good. Now for the fun (dnat to another host at similar distance):
root@fw # iptables -t nat -A PREROUTING -i vmnet2 -s 10.44.252.2 -d 
192.168.1.11 -j DNAT --to-destination 192.168.2.11

simonl@pc $ traceroute -q1 -I 192.168.1.11
traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
  1  10.44.252.1 (10.44.252.1)  1.854 ms
  2  192.168.1.11 (192.168.1.11)  9.378 ms
  3  192.168.1.11 (192.168.1.11)  17.237 ms
  4  192.168.1.11 (192.168.1.11)  3.783 ms

See?

I tried dnat'ing without snat on a real network, same problem.
So snat/masquerade has no influence (it is just needed for my setup).


Simon

Re: DNAT hiding routers behind it

[Antony Stone]

On Saturday 07 August 2004 3:51 am, Simon Lodal wrote:

> > My guess is that you have a MASQUERADE rule with no interface specified -
> > so packets get the source address of the firewall whether they're going
> > out or coming in?
>
> masquerading or snat (tried both, no difference):
> root@fw # iptables -t nat -A POSTROUTING -o eth0 -s 10.44.252.2 -j SNAT
> --to-source 10.44.8.10
>
> No other iptables rules are defined yet.
>
> simonl@pc $ traceroute -q1 -I 192.168.1.11
> traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
>   1  10.44.252.1 (10.44.252.1)  4.297 ms
>   2  10.44.8.1 (10.44.8.1)  3.892 ms
>   3  192.168.44.1 (192.168.44.1)  4.826 ms
>   4  192.168.1.11 (192.168.1.11)  5.095 ms
>
> All good. Now for the fun (dnat to another host at similar distance):
> root@fw # iptables -t nat -A PREROUTING -i vmnet2 -s 10.44.252.2 -d
> 192.168.1.11 -j DNAT --to-destination 192.168.2.11
>
> simonl@pc $ traceroute -q1 -I 192.168.1.11
> traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
>   1  10.44.252.1 (10.44.252.1)  1.854 ms
>   2  192.168.1.11 (192.168.1.11)  9.378 ms
>   3  192.168.1.11 (192.168.1.11)  17.237 ms
>   4  192.168.1.11 (192.168.1.11)  3.783 ms
>
> See?

Yes.   Strange.   I think I'd like to see the output of "traceroute -q1 -I 
192.168.2.11" (with or without the DNAT rule, shouldn't make any difference).

Also, can you put a packet sniffer such as ethereal on the link 10.44.8.10 - 
10.44.8.1 to see what packets are really leaving your firewall to the rest of 
the network?

Regards,

Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we 
don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                     Please reply to the list;
                                                           please don't CC me.

Re: DNAT hiding routers behind it

[Simon Lodal]

[-- Attachment #1: Type: text/plain, Size: 3437 bytes --]

>>simonl@pc $ traceroute -q1 -I 192.168.1.11
>>traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
>>  1  10.44.252.1 (10.44.252.1)  4.297 ms
>>  2  10.44.8.1 (10.44.8.1)  3.892 ms
>>  3  192.168.44.1 (192.168.44.1)  4.826 ms
>>  4  192.168.1.11 (192.168.1.11)  5.095 ms
>>
>>All good. Now for the fun (dnat to another host at similar distance):
>>root@fw # iptables -t nat -A PREROUTING -i vmnet2 -s 10.44.252.2 -d
>>192.168.1.11 -j DNAT --to-destination 192.168.2.11
>>
>>simonl@pc $ traceroute -q1 -I 192.168.1.11
>>traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
>>  1  10.44.252.1 (10.44.252.1)  1.854 ms
>>  2  192.168.1.11 (192.168.1.11)  9.378 ms
>>  3  192.168.1.11 (192.168.1.11)  17.237 ms
>>  4  192.168.1.11 (192.168.1.11)  3.783 ms
>>
>>See?
> 
> 
> Yes.   Strange.   I think I'd like to see the output of "traceroute -q1 -I 
> 192.168.2.11" (with or without the DNAT rule, shouldn't make any difference).
Note I managed to set up stuff so I do not need the SNAT rule anymore. 
The firewall is a plain forwarding router now, except for the dnat rule.

It is what you would expect (same with and without dnat):
simonl@pc $ traceroute -q1 -I 192.168.2.11
traceroute to 192.168.2.11 (192.168.2.11), 30 hops max, 38 byte packets
  1  10.44.252.1 (10.44.252.1)  1.095 ms
  2  10.44.8.1 (10.44.8.1)  1.936 ms
  3  192.168.44.1 (192.168.44.1)  6.036 ms
  4  192.168.2.11 (192.168.2.11)  3.077 ms

> Also, can you put a packet sniffer such as ethereal on the link 10.44.8.10 - 
> 10.44.8.1 to see what packets are really leaving your firewall to the rest of 
> the network?
Sure, this is from the firewall, ethereal sniffing all interfaces with 
filter "ip proto 1", with dnat, doing traceroute -q1 -I 192.168.1.11 
(slightly prettyprinted):

No Source        Destination   Protocol Info
  1 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
  2 10.44.252.1   10.44.252.2   ICMP     Time-to-live exceeded
  3 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
  4 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
  5 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded
  6 192.168.1.11  10.44.252.2   ICMP     Time-to-live exceeded
  7 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
  8 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
  9 192.168.44.1  10.44.252.2   ICMP     Time-to-live exceeded
10 192.168.1.11  10.44.252.2   ICMP     Time-to-live exceeded
11 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
12 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
13 192.168.2.11  10.44.252.2   ICMP     Echo (ping) reply
14 192.168.1.11  10.44.252.2   ICMP     Echo (ping) reply

In my understanding line 5 means 10.44.8.1 sent back a ttl-exceeded as 
it should.

The strange thing is on line 6. The ttl-exceeded packet is sent to the 
pc, but at that point, the source adress has been changed to 192.168.1.11.

The corresponding output from traceroute'ing 192.168.2.11 is:
  5 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded
  6 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded

The ttl-exceeded packet is just forwarded, as expected.

I have attached libpcap dump files for traceroute'ing both hosts in case 
it contains more relevant info.

I would like to set up a stealth sniffer between firewall and next-hop 
router, but I do not know how, wish I still had a hub.

FYI kernel is 2.4.25.


Simon

[-- Attachment #2: traceroute -q1 -I 192.168.1.11.dump --]
[-- Type: application/octet-stream, Size: 1112 bytes --]

[-- Attachment #3: traceroute -q1 -I 192.168.2.11.dump --]
[-- Type: application/octet-stream, Size: 1112 bytes --]

Re: DNAT hiding routers behind it

[Aleksandar Milivojevic]

Simon Lodal wrote:
> I would like to set up a stealth sniffer between firewall and next-hop 
> router, but I do not know how, wish I still had a hub.

You said your router is actually an ethernet switch (that have some 
routing capabilities)?  On most switches, you can assign one or more 
ports to be monitoring ports.  They will receive copy of all traffic 
going through the switch.  Check if your switch supports that. 
Configure one port to be monitoring port, connect PC to it.  Do not set 
up IP address or anything on that interface, just bring it up with 
ifconfig.  Run tcpdump or such on that interface.  And you have your 
stealth sniffer.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7