DNAT hiding routers behind it

Linux Netfilter discussions
 help / color / mirror / Atom feed

* DNAT hiding routers behind it
@ 2004-08-06 17:25 Simon Lodal
  2004-08-06 18:26 ` Dick St.Peters
  0 siblings, 1 reply; 8+ messages in thread
From: Simon Lodal @ 2004-08-06 17:25 UTC (permalink / raw)
  To: netfilter

I am traceroute'ing a DNAT'ed host. Surprisingly, all routers between 
the DNAT'ing firewall and the host appear as the IP address I am 
traceroute'ing. Is this intended? Can it be controlled in some way? (it 
is not necessarily bad)

Example:
traceroute to 217.116.235.62 (217.116.235.62), 30 hops max, 38 byte packets
  1  192.168.0.2 (192.168.0.2)  4.152 ms  0.875 ms  0.865 ms
  2  217.116.235.62 (217.116.235.62)  1.928 ms  1.272 ms  1.430 ms
  3  217.116.235.62 (217.116.235.62)  2.013 ms  2.338 ms  2.330 ms

Line 1: DNAT'ing firewall.
Line 2: A router.
Line 3: DNAT'ed host.

I would the expect the router to show up with it's own IP address, not 
the original target address.

Simon

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: DNAT hiding routers behind it
  2004-08-06 17:25 DNAT hiding routers behind it Simon Lodal
@ 2004-08-06 18:26 ` Dick St.Peters
  2004-08-06 21:08   ` Simon Lodal
  0 siblings, 1 reply; 8+ messages in thread
From: Dick St.Peters @ 2004-08-06 18:26 UTC (permalink / raw)
  To: Simon Lodal; +Cc: netfilter

Simon Lodal writes:
> I am traceroute'ing a DNAT'ed host. Surprisingly, all routers between 
> the DNAT'ing firewall and the host appear as the IP address I am 
> traceroute'ing. Is this intended? Can it be controlled in some way? (it 
> is not necessarily bad)
> 
> Example:
> traceroute to 217.116.235.62 (217.116.235.62), 30 hops max, 38 byte packets
>   1  192.168.0.2 (192.168.0.2)  4.152 ms  0.875 ms  0.865 ms
>   2  217.116.235.62 (217.116.235.62)  1.928 ms  1.272 ms  1.430 ms
>   3  217.116.235.62 (217.116.235.62)  2.013 ms  2.338 ms  2.330 ms
> 
> Line 1: DNAT'ing firewall.
> Line 2: A router.
> Line 3: DNAT'ed host.

Is the router a small Linksys router?  They do this without being
behind a firewall or NAT box.

--
Dick St.Peters, stpeters@NetHeaven.com 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: DNAT hiding routers behind it
  2004-08-06 18:26 ` Dick St.Peters
@ 2004-08-06 21:08   ` Simon Lodal
  2004-08-06 22:56     ` Antony Stone
  0 siblings, 1 reply; 8+ messages in thread
From: Simon Lodal @ 2004-08-06 21:08 UTC (permalink / raw)
  To: netfilter; +Cc: Dick St.Peters


No Linksys here, the firewall is a linux PC, the "router" is an Extreme 
Networks Summit 200 switch that acts like a router.

I do not think it matters. Point is that the router sends an icmp 
ttl-exceeded, which the firewall apparently considers part of the 
connection, and therefore does reverse DNAT on.

My problem is why it does that, and if it can be avoided.


Simon


Dick St.Peters skrev:
> Simon Lodal writes:
> 
>>I am traceroute'ing a DNAT'ed host. Surprisingly, all routers between 
>>the DNAT'ing firewall and the host appear as the IP address I am 
>>traceroute'ing. Is this intended? Can it be controlled in some way? (it 
>>is not necessarily bad)
>>
>>Example:
>>traceroute to 217.116.235.62 (217.116.235.62), 30 hops max, 38 byte packets
>>  1  192.168.0.2 (192.168.0.2)  4.152 ms  0.875 ms  0.865 ms
>>  2  217.116.235.62 (217.116.235.62)  1.928 ms  1.272 ms  1.430 ms
>>  3  217.116.235.62 (217.116.235.62)  2.013 ms  2.338 ms  2.330 ms
>>
>>Line 1: DNAT'ing firewall.
>>Line 2: A router.
>>Line 3: DNAT'ed host.
> 
> 
> Is the router a small Linksys router?  They do this without being
> behind a firewall or NAT box.
> 
> --
> Dick St.Peters, stpeters@NetHeaven.com 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: DNAT hiding routers behind it
  2004-08-06 21:08   ` Simon Lodal
@ 2004-08-06 22:56     ` Antony Stone
  2004-08-07  2:51       ` Simon Lodal
  0 siblings, 1 reply; 8+ messages in thread
From: Antony Stone @ 2004-08-06 22:56 UTC (permalink / raw)
  To: netfilter

On Friday 06 August 2004 10:08 pm, Simon Lodal wrote:

> No Linksys here, the firewall is a linux PC, the "router" is an Extreme
> Networks Summit 200 switch that acts like a router.
>
> I do not think it matters. Point is that the router sends an icmp
> ttl-exceeded, which the firewall apparently considers part of the
> connection, and therefore does reverse DNAT on.
>
> My problem is why it does that, and if it can be avoided.

My guess is that you have a MASQUERADE rule with no interface specified - so 
packets get the source address of the firewall whether they're going out or 
coming in?

Make sure you specify "-o eth0" or "-o ppp0" or whatever your external 
interface is called.

If not that, post your ruleset so we can have a further think...

Regards,

Antony.

> Dick St.Peters skrev:
> > Simon Lodal writes:
> >>I am traceroute'ing a DNAT'ed host. Surprisingly, all routers between
> >>the DNAT'ing firewall and the host appear as the IP address I am
> >>traceroute'ing. Is this intended? Can it be controlled in some way? (it
> >>is not necessarily bad)
> >>
> >>Example:
> >>traceroute to 217.116.235.62 (217.116.235.62), 30 hops max, 38 byte
> >> packets 1  192.168.0.2 (192.168.0.2)  4.152 ms  0.875 ms  0.865 ms
> >>  2  217.116.235.62 (217.116.235.62)  1.928 ms  1.272 ms  1.430 ms
> >>  3  217.116.235.62 (217.116.235.62)  2.013 ms  2.338 ms  2.330 ms
> >>
> >>Line 1: DNAT'ing firewall.
> >>Line 2: A router.
> >>Line 3: DNAT'ed host.
> >
> > Is the router a small Linksys router?  They do this without being
> > behind a firewall or NAT box.
> >
> > --
> > Dick St.Peters, stpeters@NetHeaven.com

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: DNAT hiding routers behind it
  2004-08-06 22:56     ` Antony Stone
@ 2004-08-07  2:51       ` Simon Lodal
  2004-08-07  7:37         ` Antony Stone
  0 siblings, 1 reply; 8+ messages in thread
From: Simon Lodal @ 2004-08-07  2:51 UTC (permalink / raw)
  To: netfilter

> My guess is that you have a MASQUERADE rule with no interface specified - so 
> packets get the source address of the firewall whether they're going out or 
> coming in?
> 
> Make sure you specify "-o eth0" or "-o ppp0" or whatever your external 
> interface is called.
> 
> If not that, post your ruleset so we can have a further think...

Testcase, as simple as possible:
pc has 10.44.252.2
fw has 10.44.252.1 on inside (vmnet2), 10.44.8.10 on outside (eth0).

On outside of fw there is a chain of routers; 10.44.8.1 => 192.168.44.1, 
which is again connected to both 192.168.1.11 and 192.168.2.11 which 
I'll use below.

masquerading or snat (tried both, no difference):
root@fw # iptables -t nat -A POSTROUTING -o eth0 -s 10.44.252.2 -j SNAT 
--to-source 10.44.8.10

No other iptables rules are defined yet.

simonl@pc $ traceroute -q1 -I 192.168.1.11
traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
  1  10.44.252.1 (10.44.252.1)  4.297 ms
  2  10.44.8.1 (10.44.8.1)  3.892 ms
  3  192.168.44.1 (192.168.44.1)  4.826 ms
  4  192.168.1.11 (192.168.1.11)  5.095 ms

All good. Now for the fun (dnat to another host at similar distance):
root@fw # iptables -t nat -A PREROUTING -i vmnet2 -s 10.44.252.2 -d 
192.168.1.11 -j DNAT --to-destination 192.168.2.11

simonl@pc $ traceroute -q1 -I 192.168.1.11
traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
  1  10.44.252.1 (10.44.252.1)  1.854 ms
  2  192.168.1.11 (192.168.1.11)  9.378 ms
  3  192.168.1.11 (192.168.1.11)  17.237 ms
  4  192.168.1.11 (192.168.1.11)  3.783 ms

See?

I tried dnat'ing without snat on a real network, same problem.
So snat/masquerade has no influence (it is just needed for my setup).


Simon



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: DNAT hiding routers behind it
  2004-08-07  2:51       ` Simon Lodal
@ 2004-08-07  7:37         ` Antony Stone
  2004-08-07 14:47           ` Simon Lodal
  0 siblings, 1 reply; 8+ messages in thread
From: Antony Stone @ 2004-08-07  7:37 UTC (permalink / raw)
  To: netfilter

On Saturday 07 August 2004 3:51 am, Simon Lodal wrote:

> > My guess is that you have a MASQUERADE rule with no interface specified -
> > so packets get the source address of the firewall whether they're going
> > out or coming in?
>
> masquerading or snat (tried both, no difference):
> root@fw # iptables -t nat -A POSTROUTING -o eth0 -s 10.44.252.2 -j SNAT
> --to-source 10.44.8.10
>
> No other iptables rules are defined yet.
>
> simonl@pc $ traceroute -q1 -I 192.168.1.11
> traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
>   1  10.44.252.1 (10.44.252.1)  4.297 ms
>   2  10.44.8.1 (10.44.8.1)  3.892 ms
>   3  192.168.44.1 (192.168.44.1)  4.826 ms
>   4  192.168.1.11 (192.168.1.11)  5.095 ms
>
> All good. Now for the fun (dnat to another host at similar distance):
> root@fw # iptables -t nat -A PREROUTING -i vmnet2 -s 10.44.252.2 -d
> 192.168.1.11 -j DNAT --to-destination 192.168.2.11
>
> simonl@pc $ traceroute -q1 -I 192.168.1.11
> traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
>   1  10.44.252.1 (10.44.252.1)  1.854 ms
>   2  192.168.1.11 (192.168.1.11)  9.378 ms
>   3  192.168.1.11 (192.168.1.11)  17.237 ms
>   4  192.168.1.11 (192.168.1.11)  3.783 ms
>
> See?

Yes.   Strange.   I think I'd like to see the output of "traceroute -q1 -I 
192.168.2.11" (with or without the DNAT rule, shouldn't make any difference).

Also, can you put a packet sniffer such as ethereal on the link 10.44.8.10 - 
10.44.8.1 to see what packets are really leaving your firewall to the rest of 
the network?

Regards,

Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we 
don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: DNAT hiding routers behind it
  2004-08-07  7:37         ` Antony Stone
@ 2004-08-07 14:47           ` Simon Lodal
  2004-08-11 20:29             ` Aleksandar Milivojevic
  0 siblings, 1 reply; 8+ messages in thread
From: Simon Lodal @ 2004-08-07 14:47 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 3437 bytes --]

>>simonl@pc $ traceroute -q1 -I 192.168.1.11
>>traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
>>  1  10.44.252.1 (10.44.252.1)  4.297 ms
>>  2  10.44.8.1 (10.44.8.1)  3.892 ms
>>  3  192.168.44.1 (192.168.44.1)  4.826 ms
>>  4  192.168.1.11 (192.168.1.11)  5.095 ms
>>
>>All good. Now for the fun (dnat to another host at similar distance):
>>root@fw # iptables -t nat -A PREROUTING -i vmnet2 -s 10.44.252.2 -d
>>192.168.1.11 -j DNAT --to-destination 192.168.2.11
>>
>>simonl@pc $ traceroute -q1 -I 192.168.1.11
>>traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
>>  1  10.44.252.1 (10.44.252.1)  1.854 ms
>>  2  192.168.1.11 (192.168.1.11)  9.378 ms
>>  3  192.168.1.11 (192.168.1.11)  17.237 ms
>>  4  192.168.1.11 (192.168.1.11)  3.783 ms
>>
>>See?
> 
> 
> Yes.   Strange.   I think I'd like to see the output of "traceroute -q1 -I 
> 192.168.2.11" (with or without the DNAT rule, shouldn't make any difference).
Note I managed to set up stuff so I do not need the SNAT rule anymore. 
The firewall is a plain forwarding router now, except for the dnat rule.

It is what you would expect (same with and without dnat):
simonl@pc $ traceroute -q1 -I 192.168.2.11
traceroute to 192.168.2.11 (192.168.2.11), 30 hops max, 38 byte packets
  1  10.44.252.1 (10.44.252.1)  1.095 ms
  2  10.44.8.1 (10.44.8.1)  1.936 ms
  3  192.168.44.1 (192.168.44.1)  6.036 ms
  4  192.168.2.11 (192.168.2.11)  3.077 ms

> Also, can you put a packet sniffer such as ethereal on the link 10.44.8.10 - 
> 10.44.8.1 to see what packets are really leaving your firewall to the rest of 
> the network?
Sure, this is from the firewall, ethereal sniffing all interfaces with 
filter "ip proto 1", with dnat, doing traceroute -q1 -I 192.168.1.11 
(slightly prettyprinted):

No Source        Destination   Protocol Info
  1 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
  2 10.44.252.1   10.44.252.2   ICMP     Time-to-live exceeded
  3 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
  4 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
  5 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded
  6 192.168.1.11  10.44.252.2   ICMP     Time-to-live exceeded
  7 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
  8 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
  9 192.168.44.1  10.44.252.2   ICMP     Time-to-live exceeded
10 192.168.1.11  10.44.252.2   ICMP     Time-to-live exceeded
11 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
12 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
13 192.168.2.11  10.44.252.2   ICMP     Echo (ping) reply
14 192.168.1.11  10.44.252.2   ICMP     Echo (ping) reply

In my understanding line 5 means 10.44.8.1 sent back a ttl-exceeded as 
it should.

The strange thing is on line 6. The ttl-exceeded packet is sent to the 
pc, but at that point, the source adress has been changed to 192.168.1.11.

The corresponding output from traceroute'ing 192.168.2.11 is:
  5 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded
  6 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded

The ttl-exceeded packet is just forwarded, as expected.

I have attached libpcap dump files for traceroute'ing both hosts in case 
it contains more relevant info.

I would like to set up a stealth sniffer between firewall and next-hop 
router, but I do not know how, wish I still had a hub.

FYI kernel is 2.4.25.


Simon

[-- Attachment #2: traceroute -q1 -I 192.168.1.11.dump --]
[-- Type: application/octet-stream, Size: 1112 bytes --]

[-- Attachment #3: traceroute -q1 -I 192.168.2.11.dump --]
[-- Type: application/octet-stream, Size: 1112 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: DNAT hiding routers behind it
  2004-08-07 14:47           ` Simon Lodal
@ 2004-08-11 20:29             ` Aleksandar Milivojevic
  0 siblings, 0 replies; 8+ messages in thread
From: Aleksandar Milivojevic @ 2004-08-11 20:29 UTC (permalink / raw)
  To: Simon Lodal; +Cc: netfilter

Simon Lodal wrote:
> I would like to set up a stealth sniffer between firewall and next-hop 
> router, but I do not know how, wish I still had a hub.

You said your router is actually an ethernet switch (that have some 
routing capabilities)?  On most switches, you can assign one or more 
ports to be monitoring ports.  They will receive copy of all traffic 
going through the switch.  Check if your switch supports that. 
Configure one port to be monitoring port, connect PC to it.  Do not set 
up IP address or anything on that interface, just bring it up with 
ifconfig.  Run tcpdump or such on that interface.  And you have your 
stealth sniffer.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2004-08-11 20:29 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-06 17:25 DNAT hiding routers behind it Simon Lodal
2004-08-06 18:26 ` Dick St.Peters
2004-08-06 21:08   ` Simon Lodal
2004-08-06 22:56     ` Antony Stone
2004-08-07  2:51       ` Simon Lodal
2004-08-07  7:37         ` Antony Stone
2004-08-07 14:47           ` Simon Lodal
2004-08-11 20:29             ` Aleksandar Milivojevic

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox