Search This Blog

Friday, January 22, 2010

multiple interfaces and snat ?

Hello all,
Please excuse my long description, but it is a complex scenario.
Also I know little about iptables and got things working with config
fragments I found on the net.

I have a VLANed network to which I would like to connect a commercial
vulnerability scanner.
The scanner is an appliance from a vendor which is not very configurable.
Therefore I have put a debian lenny firewall in front of the scanner.
The firewall has these interfaces:-
admin0, which is a normal interface with openssh listening. also the
scanner vendor is reachable via this interface.
scanner0, which has udhcpd and bind listening on it, this is connected
to the vulnerability scanner with a crossover cable and the bind and
dhcp configure it so that it routes via the lenny firewall and can find
the vendors IP addresses.
trunk0, which is a vlanned interface to an ethernet switch.
trunk1, which is a vlanned interface to another ethernet switch.
I am using iptables to snat the scanner traffic onto IP addresses that
the lenny firewall owns inside each vlan.
This is all working beautifully and I can successfully scan hosts in
each vlan for security vulnerabilities.

The problem is that I think that I have broken the security model that
uses VLANs to segregate the hosts that I'm scanning.
I beleive that any host in any vlan could also send traffic to another
vlan if it routes it via the IP address of the lenny firewall that it
has locally in its own VLAN, and that my firewall will SNAT that hosts
traffic onto it's own IP address in the other VLAN.
This is not what I wanted. What I want is for only the scanner on
interface scanner0 to be snatted and nothing else. Note that the lenny
firewall is only supposed to be used for scanning because there is
another firewall on each vlan for carrying normal packets.

My nat.sh startup script looks like this:-

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -t nat -A POSTROUTING -o admin0 -j SNAT --to 10.0.1.5
iptables -t nat -A POSTROUTING -o trunk0.1 -j SNAT --to 10.0.2.254
iptables -t nat -A POSTROUTING -o trunk0.2 -j SNAT --to 10.0.3.254
iptables -t nat -A POSTROUTING -o trunk0.3 -j SNAT --to 10.0.4.254
iptables -t nat -A POSTROUTING -o trunk1.1 -j SNAT --to 10.0.5.254
iptables -t nat -A POSTROUTING -o trunk1.2 -j SNAT --to 10.0.6.254
iptables -t nat -A POSTROUTING -o trunk1.3 -j SNAT --to 10.0.7.254

How can I change this so that only packets from interface scanner0 can
get SNATed and nothing else ?

thanks, Philip


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: