Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

nftables not NAT'ing some FIN/ACK packets
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 812
PostPosted: Mon Apr 04, 2022 3:13 pm    Post subject: nftables not NAT'ing some FIN/ACK packets Reply with quote
Hi All,

I'm running Gentoo as my router using nftables as a firewall. The ppp0 interface is a PPPoE connection for my DSL internet. Of course it also does NAT :)

Today i was monitoring it with tcpdump so double-check if i leak any internal IP addresses to the outside, expecting to see none :)
To my surprise that wasn't the case. Sometimes single FIN/ACK packets seem to be routed to the ppp0 interface without being NAT'ed, still having it's internal ip address as the source. I think this happens when the connection tracker already removed the connection and the FIN/ACK is a bit late. In itself it's not a big issue (i guess it should be dropped by my ISP), but i'd like to filter them out myself.

My idea is to find a place in nftables which handles traffic after NAT has been applied, on that place i'd like to filter out any rfc1918 addresses, which should catch these packets.

I have tested this chain:
Code:

table inet firewall {
   chain test {
      type filter hook forward priority 500; policy accept;
      ip saddr in.ter.nal.ip oifname "ppp0" counter
      ip saddr ex.ter.nal.ip oifname "ppp0" counter
   }
}

The first counter would count quickly if the chain sees traffic which is not NAT'ed yet, to second one should count when the chain sees NAT'ed traffic. I've tried a lot different priority's from -500 to 500 and in all cases only the first counter was hit.

Does anyone know how to do this?
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
wless123
n00b
n00b


Joined: 27 Aug 2021
Posts: 35
PostPosted: Mon Apr 04, 2022 6:32 pm    Post subject: Reply with quote
Hey,
your rules shown here are only to forward packets from in.ter.nal.ip/ex.ter.nal.ip to the ppp0 interface.
Code:

table inet firewall {
   chain test {
      type filter hook forward priority 500; policy accept;
      ip saddr in.ter.nal.ip oifname "ppp0" counter
      ip saddr ex.ter.nal.ip oifname "ppp0" counter
   }
}


No nat is done with it. Further not sure why you forward traffic from ex.ter.nal.ip to ppp0 or is it another internal network? If it is your external ip, this rule should never be hit (your rule means: forward traffic from internet to internet).

I would recommend to do 2 things:
1) add masquerade to the rules
2) set forward policy to drop and forward only traffic from ppp0 which is established or related to a connection

This might look like:
Code:

table inet firewall {
   chain test {
      type filter hook forward priority filter; policy drop;
      ip saddr in.ter.nal.ip oifname "ppp0" counter
      #ip saddr ex.ter.nal.ip oifname "ppp0" counter
      ifname ppp0 ct state established,related counter accept
   }
}

table inet nat {
         chain POSTROUTING {
                 type nat hook postrouting priority srcnat;
                 oifname ppp0 masquerade
         }
}



Related to your other question: remember that nat is done postrouting means before leaving the local host(after forwarding), so where are you dumping?

After applying these rules, there should be NO packet with internal ip be routed to your modem anymore.
Could you test it and if there are still packets we might take a closer look at your complete ruleset for nftables on the router.

EDIT: make nat rules work for ipv6 too and use just masquerading for that purpose.
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 812
PostPosted: Tue Apr 05, 2022 5:08 am    Post subject: Reply with quote
Thanks for your response wless123.

I know this chain doesn't do anything, it it meant to discover where i can find the traffic i want to filter.
I do have chains attached to the prerouting/postrouting hooks which do the NAT, i didn't post my full 3600-line ruleset :)

My postrouting chain contains (irrelevant lines removed, i don't want to post my full ruleset):
Code:

 chain postrouting {
  type nat hook postrouting priority 100;
  oifname ppp0 ip saddr 192.168.84.0/24 counter snat ip to $pub-v4
 }

Even with this i still see the packets with source address 192.168.84.3 on my ppp0 interface.

Quote:

Related to your other question: remember that nat is done postrouting means before leaving the local host(after forwarding), so where are you dumping?

I'm dumping on the ppp0 interface which should only have NAT'ed traffic.
On an other forum someone told me this is linux kernel issue/bug: The connection tracker forgets about the connection and the (late) FIN/ACK packet leaves the system without NAT being applied. So basically the only question left is: Where and how can i filter these packets?

Hummm ... now i'm thinking about it: How about the forward hook and filter packets with FIN set and ct state untracked ... i'll try that later today.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 812
PostPosted: Wed Apr 06, 2022 6:44 am    Post subject: Reply with quote
pa4wdh wrote:
Thanks for your response wless123.Hummm ... now i'm thinking about it: How about the forward hook and filter packets with FIN set and ct state untracked ... i'll try that later today.

I was actually quite close with this. I've added this rule to a chain connected to the forward hook:
Code:
ip saddr 192.168.0.0/16 tcp flags fin ct state invalid log prefix "Late FIN: " counter drop

Of course the log and counter are optional. This drops all packets which would otherwise leave the system without NAT.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy