Friday, July 1, 2011

NAT Masquerade using iptables for PPP Connection Sharing

Hey, guys ever felt need to perform NAT at your Linux box to share the Internet connection, I got an solution for ya. Simple iptables mangling awesomeness. Lets say you got Internet connection at /dev/ppp0 interface of Linux box with LAN interface as /dev/eth0 & you want to make all boxes inside LAN to share this Internet connection then we need to do NAT with Masquerading which is required for the Dynamic Internet Connection Links like ppp0. NAT in iptables can be done with help of SNAT or with MASQUERADE.

Terms involved :
  1. SNAT (Source NAT) -   Use this option to change the source IP address if you have Static IP address Internet Connectivity.
  2. MASQUERADE - This is special case of SNAT used in case of Dynamic Public IP addresses such as DSL links. The IP address present at the Out interface is used as Source address, no need to specify explicitly. This is generally useful for ppp interface for ex. ppp0
  3. POSTROUTING - Here we have used the POSTROUTING chain in the NAT table. This chain basically changes the Source address of the packets before going out from the Interface specified. Hence till the POSTROUTING chain the original packet originated from Internal LAN host can be seen as it is, i.e. chains prior to POSTROUTING can see original packet with original header. Due to this, the request from Internal LAN hosts seems to be coming from Linux box. So the Internet host will see all the request from Linux  box only. The Routing decision is made on the basis of original packet with actual internal host header and then it is forwarded to POSTROUTING chain.
NMAP scan on MASQUERADED ppp0 interface :
This reports the open ports of Internal hosts as the "filtered" ports in scan results. The ports of the Linux dialer box are in "open" state. This is because the PORT on the internal host does not respond with TCP RST. If any application is not running on that port then it will reply urgently with TCP RST signal.Now if this RST reply is not reciprocated by Target then it implies that the Port is behind MASQUERADE or Linux firewall.So basically if "RST" packet is received then there is no application on that port and if No response is present then the ports are behind some sort of Firewall or NAT device.
But in this way, attacker can find out the ports present and their respective applications. The "filtered" ports might be an indication as no SYN-ACK or RST is received. so the filtered status on 22 port might reveal that there is a Linux box with SSH server running on the internal LAN segment behind NAT. To prevent this from happening we can make a provision in iptables to send RST packets explicitly in REJECT policy. NMAP will conclude these ports as Unused as RST is received. This is a neat way to conceal the identity of the Internal LAN segment.

Iptables Masquerade script:

#Enable Kernel Packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush old IP tables
iptables -F
iptables -t nat -F
iptables -t mangle -F

#Rule for IP Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

echo "Rule added"

No comments:

Post a Comment