Re: Messages in log with SNAT target

[Anssi Hannula <anssi.hannula@gmail.com>]

Pascal Hambourg wrote:
> Hello,

Hi, and thank you very much for your thorough answer.

> Anssi Hannula a écrit :
> 
>>
>> I've been using this kind of configuration on my Linux router for a few
>> years:
>>
>> eth0    80.223.77.223, public internet ip
>> eth0:0    10.0.0.1, private network ip
> 
> 
> You know that having both internet and a private LAN on the same
> interface is a *very* bad idea, don't you ? I suppose you have no other
> choice.

Oops, I didn't know :((

Is the bad part on it having both of them on the same physical network,
or only the fact that they are on the same interface?

Then again, this is a wireless network where some hosts have
public+private IPs and some hosts private IPs, so I guess it would be
pretty non-practical to have two interfaces on every system which I want
to have public IP too.

What is the security risk here, exactly?

>> IP forwarding enabled.
>>
>> And a rule for iptables:
>> -A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
>> SNAT --to-source 80.223.77.223
>>
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref   
>> Use Iface
>> 10.0.0.0        0.0.0.0         255.255.255.0   U     10     0       
>> 0 eth0
>> 80.223.64.0     0.0.0.0         255.255.240.0   U     10     0       
>> 0 eth0
>> 0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0       
>> 0 eth0
>>
>> However, I get lots of this kind of messages in the dmesg while routing:
>> host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
> 
> [and so on]
> 
> Here's what happens. On your router box, all routes use the same
> interface eth0, so when it receives a packet for another destination
> than the box itself, it sends an "ICMP Redirect" message to the source
> IP address meaning "hey, there is a more direct route to destination
> 70.35.x.x using gateway 80.223.64.1 instead of me. Please update your
> routing table".
> 
> Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One
> reason is I think that's a default behaviour of Windows NT. Another
> reason is that host has probably no direct route to the proposed gateway
> address. Anyway, if it didn't ignore the "ICMP Redirect", it would
> probably lose connectivity with internet hosts because of its private
> address.
> 
> Note : destination NAT (DNAT) on the same network blocks the sending of
> "ICMP Redirect" messages by the routing decision, because destination
> NAT takes place before the routing decision. But source NAT (SNAT,
> MASQUERADE) doesn't, because it takes place after the routing decision,
> so it's too late (see Netfilter diagram in
> http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).
> 
> You can enable or disable the sending of "ICMP Redirect" messages with
> the kernel parameter send_redirect.
> 
> send_redirects - BOOLEAN
>      Send redirects, if router.
>      send_redirects for the interface will be enabled if at least one of
>      conf/{all,interface}/send_redirects is set to TRUE,
>      it will be disabled otherwise
>      Default: TRUE
> 
> To disable sending "ICMP redirect" on eth0 :
> 
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
> echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
> 
> or :
> 
> sysctl -w net/ipv4/conf/all/send_redirects=0
> sysctl -w net/ipv4/conf/eth0/send_redirects=0


-- 
Anssi Hannula