Masquerading, forwarding, firewalling Oh My.

Masquerading, forwarding, firewalling Oh My.

Post by Jason V. Roberts » Thu, 14 Mar 1996 04:00:00



Hi,

This might be long and rambling, but if you've done something like this before
please drop me a line with any advice you have.

We have a Novell server with 2 network cards, addresses nov1.nov1.nov1.nov1 and
nov2.nov2.nov2.nov2 let's say.  We have x machines hooked onto each network,
Dos machines which need TCP/IP routed.  One of the machines on the
nov1.nov1.nov1.nov1 network is a Linux machine hooked up to an ISP.  The novell
server _does_ route IP, and that part of the setup works fine.

I want to route a packet from anywhere on both networks through the linux
and masquerade for all of them.  They are on an unroutable but valid C
network subnetted with 255.255.255.224 (the addresses are unique and real
internet addreses that aren't routed anywhere yet).

Let's say the Linux side of the network is xxx.xxx.xxx.64 and the other
network on the LAN is xxx.xxx.xxx.32, and that the novell server/router is on
xxx.xxx.xxx.65 and xxx.xxx.xxx.34.

First question:  Are ping packets masqueraded?  When we have the thing set up
right will ping work to test them with?  Should I be able to ping from a dos
client through the linux box (masqueraded) and get something back on the dos
client?

Second, is this what I'd do to masquerade (assuming forwarding, firewalling,
and masquerading in the kernel)
ipfwadm -F -a masquerade -S xxx.xxx.xxx.32/27 -D 0.0.0.0
ipfwadm -F -a masquerade -S xxx.xxx.xxx.64/27 -D 0.0.0.0

I tried it, but stuff from the other LAN (the .64 lan) doesn't get through the
linux box.  Stuff from the .32 lan does get through, but it wasn't masq'ed so
it doesn't come back.

Do I have to add a forwarding/masquerading rule for packets with -S set to
the novell server address?

Also, can I just do one command:
ipfwadm -F -a masquerade -S xxx.xxx.xxx.0 -D 0.0.0.0
or do I have to do it like I did above?

If I include forwarding and masquerading it _will_ apply any masquerading rules
I gave it before it forwards, right?  Nothing seemed to be getting back to
us today.

 
 
 

1. IP forwarding in firewalls and masquerade boxes

The Firewall HOWTO and some other sources that I've looked at emphasize that
you should turn IP forwarding off in firewalls and (I believe) IP
masquerading boxes as well.  In principle I understand that you should turn
off all the services possible to secure a box.  My question is, what
vulnerabilities does IP forwarding expose?

For instance suppose you have an IP masquerading box with two nics -- one
talking to a 192.168.x.y private network, and one with a public IP address.
I can see how maybe a cracker could come send some packets to the public
side of the masq box that appeared to come from an 192.168.x.y address...
but I can't see how that would do a cracker any good.  And if I am guessing
right and this is how a cracker would exploit IP forwarding, then is there a
way to stipulate that packets from a 192.168.x.y address should be rejected
by the publicly accessible NIC?

Thanks in advance
Don

2. Scanner Reccomendations?

3. forwarding, masquerading, firewalling??????

4. Problem: kernel 2.5.33 won't compile

5. Masquerading Trouble...firewall and forwarding work great. (help)

6. sunlink x25

7. Newbie questions about firewalls, masquerading, and forwarding

8. Netscape 4.03 Standalone + java = bus error

9. enabling port forwarding on a MASQUERADING firewall

10. Flame my Firewall - Masquerade Masquerade !

11. CD-RW mounting woes in Mandrake 7.0 woe oh woe oh woe!

12. Oh Oh what did I break.

13. OT: oh...oh...Microsoft's growth SLOWS (.NET as salvation?)