Re: Iptable NAT problem - DONE!

To: Pradeeper <pradeeper@yahoo.com>, Listen <list.nospam@std-software.de>
Cc: Debian-Firewall <debian-firewall@lists.debian.org>
Subject: Re: Iptable NAT problem - DONE!
From: Mike Mestnik <cheako911@yahoo.com>
Date: Wed, 11 Aug 2004 15:25:21 -0700 (PDT)
Message-id: <[🔎] 20040811222521.10110.qmail@web11907.mail.yahoo.com>
In-reply-to: <[🔎] 1092198094.9623.246.camel@Neo>

http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-linux/2002-01/0094.html

I guess I could be wrong as this doc describes the alias is only used for
arp replys.  It(the alias) also automaticaly puts incoming pkts onto the
INPUT table.

  Without the alias these pkts WOULD get routed, most probly out the
default route or sent to the local MAC addres.  This behaviour can be
acheved with a userlevel APR tool, I use farpd.  This may be more secure
as you would need to explicatly DNAT these pkts or they would, after
looping several(30 or less) times, have TTL-time outs.

--- Listen <list.nospam@std-software.de> wrote:

> 
> 
> 
> > your "iptables -i eth0:1 -j DNAT" cmds will work nicely, without any
> SNATS
> 
> "eth0:1" vs. "eth0"
> 
> I thought that iptables is bound to the origin interface and does not
> support virtual interafces, did I miss a state change ?
> 
> Markus
> 

iptables man page says...
If the interface name ends in  a  "+",  then
              any  interface  which begins with this name will match.

However it never says when/why it is to be used.  I allways just assumed
that eth0+ would match for eth0 and eth0:1.

In any event a programs like netcat(nc) and nmap should ALLWAYS be used to
ensure correct operation of your FW.  This means that having a shell
outside of your network to be used to try and hack in is a good idea.

Please mail the results of any tests to the list. These configs are not
documented and there is not enuff knowen(writen) about the internal
workings to even guess.  My intent would be to add this to the wiki.  Once
there is deffinate proof.

--- Pradeeper <pradeeper@unionb.com> wrote:

> Hi Mike
> 
> On Wed, 2004-08-11 at 00:10, Mike Mestnik wrote:
> > You need to "ifconfig eth0:1 up 203.94.71.36", this will cause arp
> replys
> > to be sent and the IP(protocol) stack to accept data for that IP. 
> Then
> > your "iptables -i eth0:1 -j DNAT" cmds will work nicely, without any
> SNATS
> > as it's assumed that replys will need to come from 203.94.71.36.
> 
> It worked! Thanks!
> 
> Is there a security issue with this method?
> My senior partner says it's not a good method to do this (but he is run
> out of an idea ;-)) Is it true?
> Do you have any documentation regarding this (security issue of this
> method)?
> 
> Thanks!
> 
> Pradeeper
> 
> 

__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: Iptable NAT problem - ARP ?
  - From: Pradeeper <pradeeper@unionb.com>

References:
- Re: Iptable NAT problem - DONE!
  - From: Pradeeper <pradeeper@unionb.com>

Prev by Date: Re: Iptable NAT problem
Next by Date: Re: Iptable NAT problem - ARP ?
Previous by thread: Re: Iptable NAT problem - DONE!
Next by thread: Re: Iptable NAT problem - ARP ?
Index(es):
- Date
- Thread