[ale] potential iptables bug [was Re: sanity check]
James P. Kinney III
jkinney at localnetsolutions.com
Mon Dec 3 21:56:30 EST 2007
On Mon, 2007-12-03 at 19:13 -0500, Daniel Kahn Gillmor wrote:
> On Mon 2007-12-03 17:30:13 -0500, James P. Kinney III wrote:
>
> > So the bug appears to be in the DNAT mapping that is supposed to only
> > change the destination IP but appears to also change the source IP.
> >
> > This failure occurs for ssh and mail and http. All internal machines
> > report all incoming traffic and originating from the firewall and not
> > From the real source.
>
> can you show the output of:
>
> iptables -vnL
>
> iptables -t nat -vnL
>
> on the firewall? (if you feel the need to anonymize IP addresses,
> that's fine, but please keep them distinct from one another --
> i.e. don't rewrite 1.2.3.4 as X.X.X.X if you've already written
> 5.6.7.8 as X.X.X.X)
All machines are affected. This is the NAT table. The 10.0.0.195 is the
external and the 192.168.1.13 is the internal of the ssh machine
referred to originally. Again, this affects ALL machines that have a
pass through from the firewall.
BTW: the default policy is to reject with icmp-host-prohibited on all
chains (I think I can quote from Bob's second edition now :) and only
the machine functions are open at all.
$ iptables -vnL -t nat
Chain OUTPUT (policy ACCEPT 26 packets, 1584 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- * eth0 192.168.1.13
0.0.0.0/0 to:10.0.0.195
26 1548 SNAT all -- * eth0 0.0.0.0/0
0.0.0.0/0 to:10.0.0.194
Chain PREROUTING (policy ACCEPT 66 packets, 19913 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.196 tcp dpt:22 to:192.168.1.13
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.196 tcp dpt:80 to:192.168.1.13:443
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.196 tcp dpt:443 to:192.168.1.13
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.195 tcp dpt:443 to:192.168.1.13
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.195 tcp dpt:80 to:192.168.1.13
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.195 tcp dpt:22 to:192.168.1.13
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.197 tcp dpt:80 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.194 tcp dpt:80 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.197 tcp dpt:25 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.194 tcp dpt:25 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.197 tcp dpt:143 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.194 tcp dpt:143 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.197 tcp dpt:8080 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
10.0.0.194 tcp dpt:8080 to:192.168.1.3
0 0 DNAT all -- * * 0.0.0.0/0
10.0.0.195 state RELATED,ESTABLISHED to:192.168.1.13
> thanks,
>
> --dkg
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
--
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
770-493-8244
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list