RE: [Leaf-user] internal NAT question
2.4 iptables is a tool for manipulating netfilter including NAT and port forwarding. Forwarding does NOT bypass netfilter, its an integral part of it. My problem is an ipsec packet is handed to ipsec by the input chain which puts it back on the output chain, no forwarding. Therefore I use NAT to get the internal server to send the response back to the VPN router, which is not the default gateway. After much thought, I have concluded that this poses no risk. Thanx to all. Tony [EMAIL PROTECTED] on 04/27/2002 02:49:55 PM To: Steve Fink [EMAIL PROTECTED], LEAF-List [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: RE: [Leaf-user] internal NAT question Oh good grief, don't apologize! I didn't take offense. I didn't realize that ipmasqadm portfw bypassed ipchains. Actually, I am glad I know that now since I was thinking of using port forwarding for a couple of servers, I will think twice now. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Saturday, April 27, 2002 12:46 PM To: Tony; LEAF-List Subject: RE: [Leaf-user] internal NAT question Group, Sorry for the unintentional curtness of this post I'm a bit decaffinated. Humbly, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Saturday, April 27, 2002 10:22 AM To: Tony; LEAF-List Subject: RE: [Leaf-user] internal NAT question Tony, The use of ipmasqadm portfw allows the packets to pass untouched by ipchains. Steve -Original Message- From: Tony [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 5:09 PM To: Steve Fink; LEAF-List Subject: RE: [Leaf-user] internal NAT question Would not the ipchains/iptables rules be applied? Could you not say forward only traffic from external_ip/32 to internal_server/32 port 3389 or whatever and essentially say, yeah, this port is open but only for this one client on the internet? All others would be rejected/denied. Or am I mistaken, and that port forwarding bypasses all rules. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Friday, April 26, 2002 3:55 PM To: LEAF-List Subject: RE: [Leaf-user] internal NAT question Phillip, The security implications are the same as having that port on that machine exposed directly to the internet. Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] internal NAT question
Tony: Heya. Sorry for chiming in late, I had a busy weekend. :) I believe the information about ipmasqadm bypassing ipchains is incorrect. I've always known it to be described as: http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-4.html Some nice ascii art there. Quoting from the first paragraph: --- 4.1 How Packets Traverse The Filters The kernel starts with three lists of rules; these lists are called firewall chains or just chains. The three chains are called input, output and forward. When a packet comes in (say, through the Ethernet card) the kernel uses the input chain to decide its fate. If it survives that step, then the kernel decides where to send the packet next (this is called routing). If it is destined for another machine, it consults the forward chain. Finally, just before a packet is to go out, the kernel consults the output chain. This is why every port-forward rule in the firewall setup scripts (like echowall, seawall, others) come in pairs: one to put an ACCEPT in the input chain, and one to put a PORTFW into the forward chain using ipmasqadm. If your input chain is DENY'ing all packets, the portfw rules are never even consulted. A different question I've heard asked before is can my ipchains firewall be attacked on an open-port that I have being port-forwarded to an internal machine. To that, I've heard the answer is yes, as the packet is processed by the kernel before it is forwarded along. cheers, Scott I didn't realize that ipmasqadm portfw bypassed ipchains. Actually, I am glad I know that now since I was thinking of using port forwarding for a couple of servers, I will think twice now. Thanks, Tony [snip] The use of ipmasqadm portfw allows the packets to pass untouched by ipchains. [old stuff deleted] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [Leaf-user] internal NAT question
Tony, The use of ipmasqadm portfw allows the packets to pass untouched by ipchains. Steve -Original Message- From: Tony [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 5:09 PM To: Steve Fink; LEAF-List Subject: RE: [Leaf-user] internal NAT question Would not the ipchains/iptables rules be applied? Could you not say forward only traffic from external_ip/32 to internal_server/32 port 3389 or whatever and essentially say, yeah, this port is open but only for this one client on the internet? All others would be rejected/denied. Or am I mistaken, and that port forwarding bypasses all rules. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Friday, April 26, 2002 3:55 PM To: LEAF-List Subject: RE: [Leaf-user] internal NAT question Phillip, The security implications are the same as having that port on that machine exposed directly to the internet. Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] internal NAT question
Group, Sorry for the unintentional curtness of this post I'm a bit decaffinated. Humbly, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Saturday, April 27, 2002 10:22 AM To: Tony; LEAF-List Subject: RE: [Leaf-user] internal NAT question Tony, The use of ipmasqadm portfw allows the packets to pass untouched by ipchains. Steve -Original Message- From: Tony [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 5:09 PM To: Steve Fink; LEAF-List Subject: RE: [Leaf-user] internal NAT question Would not the ipchains/iptables rules be applied? Could you not say forward only traffic from external_ip/32 to internal_server/32 port 3389 or whatever and essentially say, yeah, this port is open but only for this one client on the internet? All others would be rejected/denied. Or am I mistaken, and that port forwarding bypasses all rules. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Friday, April 26, 2002 3:55 PM To: LEAF-List Subject: RE: [Leaf-user] internal NAT question Phillip, The security implications are the same as having that port on that machine exposed directly to the internet. Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] internal NAT question
Phillip, The security implications are the same as having that port on that machine exposed directly to the internet. Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] internal NAT question
Would not the ipchains/iptables rules be applied? Could you not say forward only traffic from external_ip/32 to internal_server/32 port 3389 or whatever and essentially say, yeah, this port is open but only for this one client on the internet? All others would be rejected/denied. Or am I mistaken, and that port forwarding bypasses all rules. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Friday, April 26, 2002 3:55 PM To: LEAF-List Subject: RE: [Leaf-user] internal NAT question Phillip, The security implications are the same as having that port on that machine exposed directly to the internet. Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user