View previous topic :: View next topic |
Author |
Message |
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 812
|
Posted: Mon Apr 04, 2022 3:13 pm Post subject: nftables not NAT'ing some FIN/ACK packets |
|
|
Hi All,
I'm running Gentoo as my router using nftables as a firewall. The ppp0 interface is a PPPoE connection for my DSL internet. Of course it also does NAT
Today i was monitoring it with tcpdump so double-check if i leak any internal IP addresses to the outside, expecting to see none
To my surprise that wasn't the case. Sometimes single FIN/ACK packets seem to be routed to the ppp0 interface without being NAT'ed, still having it's internal ip address as the source. I think this happens when the connection tracker already removed the connection and the FIN/ACK is a bit late. In itself it's not a big issue (i guess it should be dropped by my ISP), but i'd like to filter them out myself.
My idea is to find a place in nftables which handles traffic after NAT has been applied, on that place i'd like to filter out any rfc1918 addresses, which should catch these packets.
I have tested this chain:
Code: |
table inet firewall {
chain test {
type filter hook forward priority 500; policy accept;
ip saddr in.ter.nal.ip oifname "ppp0" counter
ip saddr ex.ter.nal.ip oifname "ppp0" counter
}
}
|
The first counter would count quickly if the chain sees traffic which is not NAT'ed yet, to second one should count when the chain sees NAT'ed traffic. I've tried a lot different priority's from -500 to 500 and in all cases only the first counter was hit.
Does anyone know how to do this? _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
wless123 n00b
Joined: 27 Aug 2021 Posts: 35
|
Posted: Mon Apr 04, 2022 6:32 pm Post subject: |
|
|
Hey,
your rules shown here are only to forward packets from in.ter.nal.ip/ex.ter.nal.ip to the ppp0 interface.
Code: |
table inet firewall {
chain test {
type filter hook forward priority 500; policy accept;
ip saddr in.ter.nal.ip oifname "ppp0" counter
ip saddr ex.ter.nal.ip oifname "ppp0" counter
}
}
|
No nat is done with it. Further not sure why you forward traffic from ex.ter.nal.ip to ppp0 or is it another internal network? If it is your external ip, this rule should never be hit (your rule means: forward traffic from internet to internet).
I would recommend to do 2 things:
1) add masquerade to the rules
2) set forward policy to drop and forward only traffic from ppp0 which is established or related to a connection
This might look like:
Code: |
table inet firewall {
chain test {
type filter hook forward priority filter; policy drop;
ip saddr in.ter.nal.ip oifname "ppp0" counter
#ip saddr ex.ter.nal.ip oifname "ppp0" counter
ifname ppp0 ct state established,related counter accept
}
}
table inet nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat;
oifname ppp0 masquerade
}
}
|
Related to your other question: remember that nat is done postrouting means before leaving the local host(after forwarding), so where are you dumping?
After applying these rules, there should be NO packet with internal ip be routed to your modem anymore.
Could you test it and if there are still packets we might take a closer look at your complete ruleset for nftables on the router.
EDIT: make nat rules work for ipv6 too and use just masquerading for that purpose. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 812
|
Posted: Tue Apr 05, 2022 5:08 am Post subject: |
|
|
Thanks for your response wless123.
I know this chain doesn't do anything, it it meant to discover where i can find the traffic i want to filter.
I do have chains attached to the prerouting/postrouting hooks which do the NAT, i didn't post my full 3600-line ruleset
My postrouting chain contains (irrelevant lines removed, i don't want to post my full ruleset):
Code: |
chain postrouting {
type nat hook postrouting priority 100;
oifname ppp0 ip saddr 192.168.84.0/24 counter snat ip to $pub-v4
}
|
Even with this i still see the packets with source address 192.168.84.3 on my ppp0 interface.
Quote: |
Related to your other question: remember that nat is done postrouting means before leaving the local host(after forwarding), so where are you dumping?
|
I'm dumping on the ppp0 interface which should only have NAT'ed traffic.
On an other forum someone told me this is linux kernel issue/bug: The connection tracker forgets about the connection and the (late) FIN/ACK packet leaves the system without NAT being applied. So basically the only question left is: Where and how can i filter these packets?
Hummm ... now i'm thinking about it: How about the forward hook and filter packets with FIN set and ct state untracked ... i'll try that later today. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 812
|
Posted: Wed Apr 06, 2022 6:44 am Post subject: |
|
|
pa4wdh wrote: | Thanks for your response wless123.Hummm ... now i'm thinking about it: How about the forward hook and filter packets with FIN set and ct state untracked ... i'll try that later today. |
I was actually quite close with this. I've added this rule to a chain connected to the forward hook:
Code: | ip saddr 192.168.0.0/16 tcp flags fin ct state invalid log prefix "Late FIN: " counter drop |
Of course the log and counter are optional. This drops all packets which would otherwise leave the system without NAT. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|