[ale] iptables dnat

James P. Kinney III jkinney at localnetsolutions.com
Fri Feb 23 22:16:56 EST 2007 

WAN side has 1 physical port with multiple interface addresses. Lan side
has 1 port with multiple physical addresses.

Since MailScanner pukes on numerical IP address I will use letters
instead.

Wan address: a.b.c.d   a.b.c.e   a.b.c.f
a.b.c.d is generic interface used as Lan outgoing address. a.b.c.e is
web server address. a.b.c.f is specialty app server address.

DMZ has x.y.x.e and x.y.z.f  .e is web server and .f is app server.

Lan is m.n.o.0/24

iptables has a dnat rule of:

-A PREROUTING -t nat -d a.b.c.e -j DNAT --to-destination x.y.x.e
-A POSTROUTING -t nat -s x.y.z.e -d ! m.n.o.0/24 -j SNAT --to-source
a.b.c.e

and a similar pair for the app server.

There is a filter table that drops everything but the appropriate port
and ssh for each dmz box.

So an ssh packet arrives for the web server a.b.c.e and is dnat'ed to be
delivered to x.y.x.e  At the web server the origination IP appears to be
DMZ facing interface on the firewall NOT the real source of the ssh
script kiddie ssh brute force password login attempt.

So all of the blocking tools forbid access from any source outside the
firewall since it looks like the dnat is also applying an snat in the
incoming packet as well.

On Fri, 2007-02-23 at 18:26 -0500, Jerry Yu wrote:
> James, could you clarify 'a system changing DNAT packets' in terms of
>       * how it relates to the Internet (MailScanner warning: numerical
>         links are often malicious:1.1.1.1) , the iptables fw box
>         (MailScanner warning: numerical links are often
>         malicious:10.10.10.10) and DNAT destination (MailScanner
>         warning: numerical links are often malicious:192.168.0.10)?
>       * what's its function?  Load balancer or alike could do SNAT.
>         For instance, F5 Big-IP has SNAT automap. However, in that
>         case, the DNAT packets show up as if from the load balancer. 
> 
> 
> On 2/23/07, Jim Popovitch <jimpop at yahoo.com> wrote:
>         On Fri, 2007-02-23 at 16:53 -0500, James P. Kinney III wrote:
>         > Does iptables dnat change the originating IP address? Is it
>         supposed to?
>         >
>         > Packet from MailScanner warning: numerical links are often
>         malicious:1.1.1.1 hits iptables destined to MailScanner
>         warning: numerical links are often malicious:10.10.10.10. That
>         external
>         > address is dnat'ed to MailScanner warning: numerical links
>         are often malicious:192.168.0.10 and then the packet is sent
>         to the
>         > the final address.
>         >
>         > I have a system that seems to be changing the source IP of
>         dnat packets 
>         > so that all connections appear to come from the iptables
>         machine and not
>         > the outside.
>         
>         That doesn't sound like it's setup right.  What are the
>         iptables rules
>         you are using?
>         
>         -Jim P. 
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://www.ale.org/mailman/listinfo/ale
>         
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list