iptables – security aspects of IPv4 forwarding and 1: 1 NAT configuration

I have a Raspbian box that I use for a site-to-site VPN tunnel. It gets internet via a lte modem and PPPD and the VPN is over OpenVPN.

I have not made any changes to iptables except to add a 1: 1 NAT over the tun0 interface. I also enabled IPv4 forwarding (net.ipv4.ip_forward).

My question is: Apart from access via the VPN module, is there any potential for users to access systems on the network using the lte adapter?

iptables – Disables Source NAT for Calico

The default settings that kubeadm + calico uses are NAT for all inbound connections that are not from a pod_ip.

I've published the service network on my external LAN and I want the service pods to use the actual client IPs and not translated IPs.

In particular, it adds

-A KUBE-SERVICES ! -s 172.16.0.0/16 -d 172.20.160.251/32 -p tcp -m comment --comment "telemetry/pipeline-cdn:http cluster IP" -m tcp --dport 5000 -j KUBE-MARK-MASQ

to iptables.

Although this is not an immediate problem, it does pose a risk of temporary port exhaustion and general difficulties in tracking connections and logging clients accessing my web services.

Linux – Using IPTables with Passive FTP behind NAT

BACKGROUND:

Similar questions have already been asked, but I can not find additional information or a situation like mine. I have a Linux SBC with 2 network connections. One of them is an Ethernet-to-USB connection to an industrial image processing system. In order for the factory software to run over the external network, I set up iptables to run NAT on the required ports for the software to run. However, I have problems with the FTP part of this connection. With ip_nat_ftp and ip_conntrack I was able to get Active FTP up and running, but not Passive FTP (depends on the LIST command).

PROBLEM:

I think the problem is the PASV response, which returns the local IP address of the camera, not the external one that the software needs. I think the usual solution is to configure your FTP server to respond to the external address, but I can not make any changes to the commercially available device. Is there a way to get iptables to "see" this string and rewrite it with the correct IP address? I thought ip_nat_ftp had analyzed the command strings and would be able to.

-Many thanks

Routing – SMB shares that are not reachable over 1: 1 NAT

I am having a problem with Win 10 SMB folder shares on my company's network. There is a subnet (let's call it production) with 3 hosts that are industrial PCs that are used as machine controllers and are connected to the rest of the network via an mGuard router (let's call it a company). It is (allegedly) set up a 1: 1 NAT, which is to map Host 1 from the production network to an address in the corporate network. What I want to achieve is a shared folder on host 1 in the production network, which can be reached via the NAT in the corporate network. I do not have access to the router's configuration because it was remotely configured by the manufacturer of the computer. However, the NAT appears to be set up as requested because the corporate network has an address that responds to ping and VNC connection requests, but this is not possible. Access shared folders. The shares also seem to be configured correctly because they are seen by the other two hosts in the subnet. MGuard allegedly does not filter applications, the Windows firewalls are disabled on the controller PCs

NMAP of the NAT address seen from the company network:

NSE: Loaded 148 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 11:43

Completed NSE at 11:43, 0.00s elapsed

Initiating NSE at 11:43

Completed NSE at 11:43, 0.00s elapsed

Initiating ARP Ping Scan at 11:43

Scanning 10.150.4.9 (1 port)

Completed ARP Ping Scan at 11:43, 0.52s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 11:43

Completed Parallel DNS resolution of 1 host. at 11:43, 0.00s elapsed

Initiating SYN Stealth Scan at 11:43

Scanning 10.150.4.9 (1000 ports)

Discovered open port 3389/tcp on 10.150.4.9

Discovered open port 5900/tcp on 10.150.4.9

Discovered open port 1433/tcp on 10.150.4.9

Completed SYN Stealth Scan at 11:43, 4.02s elapsed (1000 total ports)

Initiating Service scan at 11:43

Scanning 3 services on 10.150.4.9

Completed Service scan at 11:44, 11.01s elapsed (3 services on 1 host)

Initiating OS detection (try #1) against 10.150.4.9

Retrying OS detection (try #2) against 10.150.4.9

NSE: Script scanning 10.150.4.9.

Initiating NSE at 11:44

Completed NSE at 11:44, 5.12s elapsed

Initiating NSE at 11:44

Completed NSE at 11:44, 0.00s elapsed

Nmap scan report for 10.150.4.9

Host is up (0.0017s latency).

Not shown: 997 filtered ports

PORT     STATE SERVICE       VERSION

1433/tcp open  ms-sql-s      Microsoft SQL Server 2014 12.00.5000.00; SP2

| ms-sql-ntlm-info: 

|   Target_Name: 8957PU10-50K2

|   NetBIOS_Domain_Name: 8957PU10-50K2

|   NetBIOS_Computer_Name: 8957PU10-50K2

|   DNS_Domain_Name: 8957Pu10-50K2

|   DNS_Computer_Name: 8957Pu10-50K2

|_  Product_Version: 10.0.14393

| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback

| Issuer: commonName=SSL_Self_Signed_Fallback

| Public Key type: rsa

| Public Key bits: 1024

| Signature Algorithm: sha1WithRSAEncryption

| Not valid before: 2019-08-19T03:53:15

| Not valid after:  2049-08-19T03:53:15

| MD5:   7c01 11b2 b195 05bd 7557 949c 9f95 7057

|_SHA-1: 4542 4e51 1207 f65e 01a4 6ab3 0d4c 7391 09f1 4f09

|_ssl-date: 2019-08-19T09:44:45+00:00; +30s from scanner time.

3389/tcp open  ms-wbt-server Microsoft Terminal Services

| ssl-cert: Subject: commonName=8957Pu10-50K2

| Issuer: commonName=8957Pu10-50K2

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2019-07-14T03:56:52

| Not valid after:  2020-01-13T03:56:52

| MD5:   e8bb 8d4a 32fa 6b74 c313 3d52 8f93 1790

|_SHA-1: c2b5 d8a8 44e1 a089 0525 6665 945e eceb 387b 70eb

|_ssl-date: 2019-08-19T09:44:45+00:00; +31s from scanner time.

5900/tcp open  vnc           VNC (protocol 3.8)

| vnc-info: 

|   Protocol version: 3.8

|   Security types: 

|     VNC Authentication (2)

|     Tight (16)

|   Tight auth subtypes: 

|_    STDV VNCAUTH_ (2)

MAC Address: A8:74:1D:76:A1:0C (Phoenix Contact Electronics Gmbh)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose|WAP

Running (JUST GUESSING): Linux 2.6.X (97%), D-Link embedded (96%), TRENDnet embedded (96%), Microsoft Windows 2016|Vista (91%), FreeBSD 6.X (87%)

OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/h:dlink:dwl-624%2b cpe:/h:dlink:dwl-2000ap cpe:/h:trendnet:tew-432brp cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_vista::sp1:home_premium cpe:/o:freebsd:freebsd:6.2

Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (97%), D-Link DWL-624+ or DWL-2000AP, or TRENDnet TEW-432BRP WAP (96%), Microsoft Windows Server 2016 (91%), Microsoft Windows Vista Home Premium SP1 (89%), FreeBSD 6.2-RELEASE (87%)

No exact OS matches for host (test conditions non-ideal).

Uptime guess: 0.244 days (since Mon Aug 19 05:52:30 2019)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=257 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows



Host script results:

|_clock-skew: mean: 30s, deviation: 0s, median: 30s

| ms-sql-info: 

|   10.150.4.9:1433: 

|     Version: 

|       name: Microsoft SQL Server 2014 SP2

|       number: 12.00.5000.00

|       Product: Microsoft SQL Server 2014

|       Service pack level: SP2

|       Post-SP patches applied: false

|_    TCP port: 1433



TRACEROUTE

HOP RTT     ADDRESS

1   1.67 ms 10.150.4.9

The NetBIOS name for host 1 is 8957PU10-50K2

Some related resources:

http://help.mguard.com/pdf/en/mguard8/ConfigEx/108407_en_00.pdf
http://help.mguard.com/pdf/en/mguard8/ConfigEx/108408_en_00.pdf

Thank you in advance.

Networking – Switching to IPv6 from Traditional IPv4 / NAT / Port Forwarding / Firewall (Issue 2019)

I manage multiple networks of 5 to 20 computers behind a traditional IPv4 router / firewall setup. Outgoing connections become NATted, and clients outside the router access individual services through port forwarding through the router.

I'm interested in using IPv6 for (some) of these machines, but I do not want to open them unknowingly for arbitrary access from the Big Bad Internet. I do want to pass certain protocols as directly as possible. For example, I want to allow direct SSH access to one of the machines.

Is there a good way to do this without requiring a complete firewall setup on each individual computer? Should I use the publicly accessible IPv6 address of my router as the input address for a nBit Subnet, where all my intranet computers reside, and firewall management by dropping SYN packets to ports and computers I do not want access to?

amazon web services – How to assign the same elastic IP to a NAT gateway and an ALB?

The following architectural diagram is from an AWS blog titled Task Networking in AWS Fargate. The blog was published in January 2018.

Architecture

In the description that comes with the picture it says:

With this configuration, your Fargate tasks can be safely isolated from the rest of the Internet. You can continue to initiate network communication with external resources through the NAT gateway and continue to receive traffic from the public through the Application Load Balancer, which is on the public subnet.

One problem I have when trying to rebuild the architecture is that the same IP address (which I assume is a resilient IP) for both the NAT gateway and the Application Load Balancer (ALB ) is used. I can not create a resilient IP address that can be used by both the NAT gateway and the ALB. Is the chart incorrect or am I missing something?

Firewall – Cisco ASA5506: NAT Issue (packet blocked even though admission rule exists)

We have a problem with our ASA5506.

The public interface "outsideSub" has an internet connection via PPPoE.
The ping test of outsideSub iface to a public DNS server is successful.

However, packet tracking shows that TCP packets are blocked using an ACL.
Additionally, hosts on the internal subnet have no Internet connection.

This is the current configuration:

: Rescued
:
: Serial number: JAD211802J4
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 Series 1250 MHz, 1 CPU (4 cores)
: Posted by admin at 12: 07: 48.259 CEDT Thu 4 Jul 2019
!
ASA Version 9.6 (1)
!
Hostname firewall
Enable password WHzrdccdxogzFJXY encrypted
names

!
Interface GigabitEthernet1 / 1
nameif outside
Security level 0
no ip address
!
Interface GigabitEthernet1 / 1.100
only nve
vlan 7
nameif outsideSub
Security level 0
pppoe client vpdn group telecom
IP address pppoe
!
Interface GigabitEthernet1 / 2
Name in
Security level 100
IP address DHCP
!
Interface GigabitEthernet1 / 3
nameif DMZ
Security level 50
IP address 192.168.3.1 255.255.255.0
!
Interface GigabitEthernet1 / 4
Nameif guest
Security level 1
IP address 192.168.5.1 255.255.255.0
!
Interface GigabitEthernet1 / 5
turn off
no nameif
no security level
no ip address
!
Interface GigabitEthernet1 / 6
turn off
no nameif
no security level
no ip address
!
Interface GigabitEthernet1 / 7
turn off
no nameif
no security level
no ip address
!
Interface GigabitEthernet1 / 8
turn off
no nameif
no security level
no ip address
!
Interface Management1 / 1
Only for the management
no nameif
no security level
IP address DHCP
!
FTP mode passive
time zone CEST 1
Clock summer time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
DNS domain lookup outside sub
DNS server group DefaultDNS
Nameserver 217.69.169.25 outsideSub
Same Security Traffic permission interface
the same security traffic permit within the interface
Object network obj_any
Subnet 0.0.0.0 0.0.0.0
Object network insideSub
Object network WWW-EXT
host 87.140.26.169
Object network WWW-INT
Host 192.168.3.2
Object service https
service tcp source range 0 1024 destination eq https
Object network internal web server
Host 192.168.3.2
Object Network dect-gateway
host 192.168.178.15
Object service http
Service TCP Source EQ WWW Destination EQ WWW
description http
Object Group Service DM_INLINE_SERVICE_1
Service Object tcp-udp Target Eq. sip
Service object TCP destination äq www
Service Object TCP Destination Eq. https
Object group service DM_INLINE_SERVICE_2
Service object udp
Service object TCP target Eq. sip
Service Object udp Target Eq. sip
Service object TCP destination ä 5090
Service Object TCP Destination Eq. https
Service object TCP destination äq www
Service object udp target area 30000 31000
service-object udp destination Eq. 3478
service-object udp destination Eq. 3479
Service object udp target area 40000 41000
Object group service DM_INLINE_SERVICE_3
Service object udp
Service object TCP target Eq. sip
Service Object udp Target Eq. sip
Service Object TCP Destination Eq. https
Service object TCP destination ä 5090
service-object udp destination range 30000 30900
service-object udp destination range 40000 40900
service-object udp destination eq 5070
service-object udp destination eq 5080
Object Group Service DM_INLINE_SERVICE_6
Service Object TCP Destination Eq. https
Service object TCP UDP destination EQ domain
Service object TCP destination äq www
Object Group Service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
Object Group Service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended allow ip any any
Extended access list in detail Allow any object internal web server object group DM_INLINE_TCP_2 protocol debugging
Access list extended in detail permission object group DM_INLINE_SERVICE_2 any object dect-gateway log debugging inactive
Access List DMZ_access_in extends permission for each object of the internal web server collection DM_INLINE_TCP_1
Access list DMZ_access_in extended permission Object group DM_INLINE_SERVICE_6 Object internal web server arbitrary
access-list DMZ_access_in extended allow ip any any inactive
access-list inside_access_in_1 extended permission ip any any
access-list inside_access_in_1 extended permission object group DM_INLINE_SERVICE_3 any object dect-gateway log debugging inactive
access-list guest_access_in extended ip allows any interface outside sub
Access list telefon_access_in extended authorization object group DM_INLINE_SERVICE_1 any any
Pager lines 24
activate protocolling
logging asdm informational
MTU outside 1492
mtu outsideSub 1492
MTU within 1500
mtu DMZ 1500
mtu guest 1500
icmp unavailable rate limit 1 burst size 1
do not enable asdm history
Arp timeout 14400
No Arp leave not connected
!
Object network obj_any
nat (any, outsideSub) dynamic interface
Object network internal web server
nat (DMZ, outsideSub) static interface service tcp https https
!
nat (inside, outsideSub) after the automatic source dynamization every interface
nat (DMZ, outsideSub) after the automatic source dynamization any interface
nat (guest, outsideSub) after the automatic source dynamization any interface
Access group in detail in interface outsideSub
access-group inside_access_in_1 in interface inside
Access group DMZ_access_in in the DMZ interface
route outsideSub 0.0.0.0 0.0.0.0 87.140.26.169 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
TCP proxy assembly timeout 0:01:00
Timeout floating conn 0:00:00
User identity Default domain LOCAL
aaa authentication ssh console LOCAL
Enable http server
http 192.168.178.0 255.255.255.0 inside
no snmp server location
no snmp server contact
Service software reset button
crypto ipsec security association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
Enrollment yourself
fqdn no
Subject CN = 192.168.178.1, CN = firewall
Key pair ASDM_LAUNCHER
Configure crl
Crypto Ca Trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
Certificate 213f335c
308202d2 308201ba a0030201 02020421 3f335c30 0d06092a 864886f7 0d010105
0500302b 3111300f 06035504 03130866 69726577 616c6c31 16301406 03550403
130d3139 322e3136 382e3137 382e3130 1e170d31 39303231 31303831 3332345a
170d3239 30323038 30383133 32345a30 2b311130 0f060355 04031308 66697265
77616c6c 31163014 06035504 03130d31 39322e31 36382e31 37382e31 30820122
300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00b8ce18
cf8bf6f6 dd3ee4fb a4dfe76c 4fe03a80 f81cd905 e46d54f9 f012b3ef a7b1b18e
986a25c1 72e2958e 358069bc 19cb4f82 6c64ae3e 093c5728 d459f866 6f96236a
510542c1 31fa49da 3abda6f9 9fd94928 f50cd6e4 0efd84e7 347f347b 599cffe4
ffc329from 20e73469 4eea0f70 eccbbfe9 8b836d74 308d2726 141b774e bfc67f7b
01fd29f3 95270e96 1f772697 f860eb11 7e0686a7 d3a67ddf 1bc9d1f1 dfd8e56b
0dd0383b 77450eae d40e73b1 42eaa054 bdf1df88 bce74fa3 786577f4 761e2bb5
a7a64f7f bd438ccd a17fb35c 2259eb15 6e7fae71 41f7a8f2 1bcf7de0 1d681b31
67c3accc 8f335083 c1c785aa 287efa1b 001f9364 9ca24063 1df21744 0d020301
0001300d 06092a86 4886f70d 01010505 00038201 010005c6 2bb39f28 b70fc7f0
a36607a8 2548e727 f15ac207 fb9158dc 2d40b205 01bbdfca a400a80d f7ceddf9
9e970bb2 1ea6f27c 5abf5213 36c6e0bb da17f51f 11b57d6a 1a23d549 1da464b0
4eb0b2a9 8930c91d c4cab838 0467fe35 222fe4b1 8b1341a6 ea83f447 f415300e
c1d4307e 3ae79b83 99800943 6a1dfd1c 22f3313b cc16ad04 852268b0 d028aa16
b50ce50a bc6b7060 db1e01c4 c76395b4 cdfee801 a1d3a9f4 74398b92 cba196cf
8fca0659 305b10f7 fee4e90a 00ec7220 6401044c c20cd391 74cd12db acc1427f
d6d5f324 f5b15a43 b97eb21e 07fac702 81aed9a9 1828acae 91702b57 994e3618
3c2e2e50 55bb0fc3 18da4c73 399d0c17 830a9389 b679
leaving
Telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.178.0 255.255.255.0 inside
SSH Timeout 5
SSH key exchange group dh-group14-sha1
Console timeout 0
vpdn group telecom request dialout pppoe
vpdn group telecom ppp authentication pap

dhcpd dns 217.69.169.25
dhcpd auto_config inside
DHCP option 3 IP 192.168.5.1
!
DHCP address 192.168.5.2-192.168.5.254 guest
dhcpd dns 217.69.169.25 interface guest
Enable DHCP guest
!
NTP server 188.68.54.53 Source outsideSub
SSL trust point ASDM_Launcher_Access_TrustPoint_0
Dynamic Access policy record DfltAccessPolicy
Username Admin Password WRN6n6ecK1px5qbL Encrypted Privilege 15
!
class-map inspection_default
Complies with standard inspection traffic
!
!
Policy Map type inspect DNS Preset_DNS_MAP
parameter
Message length maximum client auto
Message length up to 512
policy-map global_policy
Class inspection_default
Check DNS Preset_DNS_MAP
Check ftp
Inspect h323 h225
inspect h323 ras
inspect rsh
Check rtsp
Check esmtp
Check sqlnet
inspect thin
inspect sunrpc
inspect xdmcp
Inspect gulp
Check NetBIOS
Check tftp
Check the IP options
Check icmp
!
Service policy global_policy global
prompt hostname context
No anonymous callback message
Cryptochecksum: 2e518b4508919eb399ce4cb4eae31eca
: The End

Here are two screenshots to clarify the problem / configuration:

The package tracking that shows the package is blocked

however, the approval rule exists (181k hits)

The NAT rules or routes were not changed explicitly!
The only change that was made was changing the setting of internalSub PPPoE to "Using a Static IP."

We did not have an internet connection with the static IP, so we reset the iface setting to PPPoE. Since then, the NATing / routing problem exists.

Unfortunately there are no configuration backups and the configuration was written to flash …

nat – Ultraslow upload speed while nating with iptables

I'm configuring a network and need to allow access only for certain MAC addresses.

Let eth0 and eth1 be physical interfaces. eth1 is connected to the external network and eth0 and its vlans are in the internal network.

For this purpose, I use Linux iptables and have the following code for the default configuration.

# Allow IP forwarding and loopback

echo 1> / proc / sys / net / ipv4 / ip_forward
iptables -A INPUT -i lo -j ACCEPT

# Setting up nat and default chain settings

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -N FILTER
iptables -P FORWARD DROP

# Set up default configuration

iptables -A FORWARD -p tcp -m conntrack -ctstate NEW -i eth0 + -o eth1 -j FILTER
iptables -A FORWARD -p tcp -m conntrack 
-ctstate RELATED, ESTABLISHED, DNAT, SNAT, INVALID -i eth0 + -o eth1 -j ACCEPT
iptables-A FORWARD! -p tcp -i eth0 + -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 + -m state 
- Related, found -j ACCEPT

In this way I filter all incoming TCP traffic with the status NEW and allow all traffic of another protocol or TCP with different statuses. I treat these filtered TCP requests with the following rule

# Allow TCP traffic with ctstate NEW for certain Macs

iptables -A FILTER -p tcp -m conntrack -ctstate NEW -i eth0 + -o eth1 
-m mac --mac-source  -j ACCEPT

In a test environment, MAC-approved MACs can access the Internet at normal download speeds, but the upload speed is nearly zero. Do I forget something?

kubernetes – Can not access LB via Cloud NAT

We run a private GKE cluster through GCP.
Our services are connected to the Internet via nginx-ingress and TCP LB white, which are listed in the service.yaml definition.

One of our pods tries to access another pod via the public LB.
(I know that this is not the best course of action, but we can assume that the app only works this way and we can not handle the cluster communication.)

I've also added the static NAT IP to the LB whitelist, and I can see the IP as a firewall rule associated with the GKE nodes.

What I tried to debug the problem:

Create a new instance, install nginx, and allow connections only through the NAT IP by adding firewall rules. I also tried connecting tcp LB to this nginx instance and have no problem accessing the nginx sample page from pods A and B.

When I try to connect to the pods of other whitelist sources, I have no problem whatsoever.