Simple symmetric NAT Setup using IPTABLES

To: debian-security@lists.debian.org
Subject: Simple symmetric NAT Setup using IPTABLES
From: "Asif" <asif.fayyaz@gmail.com>
Date: 23 Jan 2006 05:21:24 -0800
Message-id: <[🔎] 1138022484.277233.153530@z14g2000cwz.googlegroups.com>

Hello every one. I am having problem in setting up symmetric NAT using
IPTABLES

Actually I am working on SIP application. SIP has the problem on NATes
networks. STUN is one of the solutions. I have embedded STUN client
functionality inside SIP application. Now i have to test the
application. There are four scenerios of NATed network:

   The following chart shows combinations of NATs at each endpoint with
   the current NAT type definitions in STUN. The combinations are
   classified into 4 groups: Class I, II, III and IV.

          +----------+-----+-----+-----+-----+-----+
          |\     EP-R|     |     |     |     |     |
          | -------- |Open |  F  |  P  | PR  | SYM |
          |EP-S     \|     |     |     |     |     |
          |----------+-----+-----+-----+-----+-----+
          | Open     |     |                 |     |
          |----------+     |                 |     |
          | F        |     |                 |(III)|
          |----------+( I )|     ( II )      |     |
          | P        |     |                 |     |
          |----------+     |                 +-----+
          | PR       |     |                 |     |
          |----------+     |           +-----+     |
          | SYM      |     |           |      (IV) |
          +----------+-----------------+-----------+
          Note:
           EP-S: Sending endpoint.
           EP-R: Receiving endpoint.
            (In full-duplex, both EP-a and EP-b in Figure 3.1
             will have both EP-S and EP-R)
           Open: Open to public network (no NAT)
           F   : Full-cone NAT
           R   : Restricted-cone NAT
           PR  : Port restricted-cone NAT

For setting up a test environment, I decided to setup as below:



 192.168.0.2
+----------+
| ClientA  |
+----------+
|
|
|      eth1     eth0
| 192.168.0.1 | 172.25.25.41
+-------------|-------------+
|           NAT1            |
+-------------|-------------+
                            |
                            |
                            |
        172.25.25.42        |
+---------------------------+
|Proxy\Registrar,STUN Server|
+---------------------------+
                            |
                            |
      eth1        eth0      |
   10.0.0.1   |172.25.25.43 |
+-------------|-------------+
|           NAT2            |
+-------------|-------------+
|
|
|
| 10.0.0.2
+----------+
| ClientB  |
+----------+



 172.25.25.X ---- LAN (External Network for client A and B)
 192.168.0.X ---- Private Network 1 (Internal Network for Client A)
 10.0.0.X    ---- Private Network 2 (Internal Network for Client B)

 ClientA and ClientB are sip clients with STUN functionality embedded.

 NAT1 and NAT2 are internal LAN NAT. I mean for testing purpose, i have
used two machines with two network cards.


below is the configuration of NAT1 using iptables. Also I am
configuring it for UDP protocol as SIP application is using UDP for
both signaling and media streaming.

> iptables -A PREROUTING -t nat -d 172.25.25.41 -i eth0 -j DNAT --to 192.168.0.2
  This tells NAT1 to change the destination of the packet recieved on
eth0 to clientA address whenever the destination is eth0 (172.25.25.41)

> iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  For forwarding the packets from eth1 and to remember its state

> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41:7070-7074
  to change the source address of the packet to a pool of address
before routing to eth0. My intention was to make it symmetric.

> echo "1" > /proc/sys/net/ipv4/ip_forward
  to set the ip_forward table ON



  The above commands  I used for making NAT1 symmetric, For making it
port restricted, I change the POSTROUTING command above and make it
like this:
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41:8080
  Here NAT1 will change the source address of ClientA packets to same
address for routing. I am using it for testing purpose so it will work
as long as only one client exists in Private Network 1.


  For making NAT1 restricted, I change the above POSTROUTING command
and make it like this:
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41


  For making it FULL CONE NAT, i have to think about it.


  So what I want is a test environment for my SIP application. I can't
use application Gateway, as only NAT will work here because after
testing here, i will try to test it on some real environment. I wants
IPTABLE commands that can do the above task. Please suggest some thing
if you have some better option in your mind. Like If there is some
application that can setup NAT as mentioned above or if I can test my
application on some public STUN and proxy servers on the Internet.
ALso, if you think this can be performed by some utility on some
different OS like Windows, pleass suggest me.
  
  
  regards,
  
  Asif

Reply to:

Prev by Date: Re: Security implications of allowing init to re-exec from another path
Next by Date: Re: Strange Apache log and mambo security - sexy executable
Previous by thread: Re: [SECURITY] [DSA 946-1] New sudo packages fix privilege escalation
Next by thread: Security scanner
Index(es):
- Date
- Thread