Re: Messages in log with SNAT target

[Anssi Hannula <anssi.hannula@gmail.com>]

Sietse van Zanen wrote:
> The security risk is, and it is a MAJOR one, especially with WiFi networks is that any PC on the network could just be set up with a private IP on your private network, start sniffing for passwords etc.
>  
> It's a very, very bad idea to put your public and private WiFi infratructure on the same physical network.
> I would say, there's even no point in firewalling this. Firewalling is seperating, you are combining.
>  
> -Sietse

In this case the private network is only a very small home network. I
don't see there being too big a risk of anyone setting up a box with
private IP on the network with harm on their mind. If that would be
possible, wouldn't the security of the whole system be compromised so
much that the private/public separation doesn't matter anymore?

The main purpose of the private IPs here is the ease of use and having
no public IP for a system if so wanted.

> ________________________________
> 
> From: netfilter-bounces@lists.netfilter.org on behalf of Anssi Hannula
> Sent: Mon 24-Jul-06 13:03
> To: netfilter@lists.netfilter.org
> Subject: Re: Messages in log with SNAT target
> 
> 
> 
> Pascal Hambourg wrote:
> 
>>Hello,
> 
> 
> Hi, and thank you very much for your thorough answer.
> 
> 
>>Anssi Hannula a écrit :
>>
>>
>>>I've been using this kind of configuration on my Linux router for a few
>>>years:
>>>
>>>eth0    80.223.77.223, public internet ip
>>>eth0:0    10.0.0.1, private network ip
>>
>>
>>You know that having both internet and a private LAN on the same
>>interface is a *very* bad idea, don't you ? I suppose you have no other
>>choice.
> 
> 
> Oops, I didn't know :((
> 
> Is the bad part on it having both of them on the same physical network,
> or only the fact that they are on the same interface?
> 
> Then again, this is a wireless network where some hosts have
> public+private IPs and some hosts private IPs, so I guess it would be
> pretty non-practical to have two interfaces on every system which I want
> to have public IP too.
> 
> What is the security risk here, exactly?
> 
> 
>>>IP forwarding enabled.
>>>
>>>And a rule for iptables:
>>>-A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
>>>SNAT --to-source 80.223.77.223
>>>
>>>Kernel IP routing table
>>>Destination     Gateway         Genmask         Flags Metric Ref  
>>>Use Iface
>>>10.0.0.0        0.0.0.0         255.255.255.0   U     10     0      
>>>0 eth0
>>>80.223.64.0     0.0.0.0         255.255.240.0   U     10     0      
>>>0 eth0
>>>0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0      
>>>0 eth0
>>>
>>>However, I get lots of this kind of messages in the dmesg while routing:
>>>host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
>>
>>[and so on]
>>
>>Here's what happens. On your router box, all routes use the same
>>interface eth0, so when it receives a packet for another destination
>>than the box itself, it sends an "ICMP Redirect" message to the source
>>IP address meaning "hey, there is a more direct route to destination
>>70.35.x.x using gateway 80.223.64.1 instead of me. Please update your
>>routing table".
>>
>>Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One
>>reason is I think that's a default behaviour of Windows NT. Another
>>reason is that host has probably no direct route to the proposed gateway
>>address. Anyway, if it didn't ignore the "ICMP Redirect", it would
>>probably lose connectivity with internet hosts because of its private
>>address.
>>
>>Note : destination NAT (DNAT) on the same network blocks the sending of
>>"ICMP Redirect" messages by the routing decision, because destination
>>NAT takes place before the routing decision. But source NAT (SNAT,
>>MASQUERADE) doesn't, because it takes place after the routing decision,
>>so it's too late (see Netfilter diagram in
>>http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).
>>
>>You can enable or disable the sending of "ICMP Redirect" messages with
>>the kernel parameter send_redirect.
>>
>>send_redirects - BOOLEAN
>>     Send redirects, if router.
>>     send_redirects for the interface will be enabled if at least one of
>>     conf/{all,interface}/send_redirects is set to TRUE,
>>     it will be disabled otherwise
>>     Default: TRUE
>>
>>To disable sending "ICMP redirect" on eth0 :
>>
>>echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>>echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
>>
>>or :
>>
>>sysctl -w net/ipv4/conf/all/send_redirects=0
>>sysctl -w net/ipv4/conf/eth0/send_redirects=0
> 
> 
> 
> --
> Anssi Hannula
> 
> 
> 


-- 
Anssi Hannula