Sunday, January 24, 2010

Re: multiple interfaces and snat ?

Thank you for your reply.
The snat onto the admin interface is necessary because the scanner
connects to the scanning
vendors website over https to download instructions and signatures. It
uses the admin
interface and IP address to do this.
The actual scanner has a 192.168.x.y address that is not routable within
the network

thanks, Philip

Pascal Hambourg wrote:
> Hello,
>
> Philip a écrit :
>
>> I have a VLANed network to which I would like to connect a commercial
>> vulnerability scanner.
>> The scanner is an appliance from a vendor which is not very configurable.
>> Therefore I have put a debian lenny firewall in front of the scanner.
>> The firewall has these interfaces:-
>> admin0, which is a normal interface with openssh listening. also the
>> scanner vendor is reachable via this interface.
>> scanner0, which has udhcpd and bind listening on it, this is connected
>> to the vulnerability scanner with a crossover cable and the bind and
>> dhcp configure it so that it routes via the lenny firewall and can find
>> the vendors IP addresses.
>> trunk0, which is a vlanned interface to an ethernet switch.
>> trunk1, which is a vlanned interface to another ethernet switch.
>> I am using iptables to snat the scanner traffic onto IP addresses that
>> the lenny firewall owns inside each vlan.
>> This is all working beautifully and I can successfully scan hosts in
>> each vlan for security vulnerabilities.
>>
>
> Note that NAT breaks end-to-end connectivity and therefore may hide some
> vulnerabilities from the scanner.
>
>
>> The problem is that I think that I have broken the security model that
>> uses VLANs to segregate the hosts that I'm scanning.
>> I beleive that any host in any vlan could also send traffic to another
>> vlan if it routes it via the IP address of the lenny firewall that it
>> has locally in its own VLAN, and that my firewall will SNAT that hosts
>> traffic onto it's own IP address in the other VLAN.
>>
>
> Yes, with ip_forward=1 the Debian lenny box acts as a IPv4 router and by
> default forwards IPv4 packets between all its network interfaces, unless
> you add some filtering with iptables.
>
>
>> This is not what I wanted. What I want is for only the scanner on
>> interface scanner0 to be snatted and nothing else. Note that the lenny
>> firewall is only supposed to be used for scanning because there is
>> another firewall on each vlan for carrying normal packets.
>>
>> My nat.sh startup script looks like this:-
>>
>> /sbin/depmod -a
>>
>
> What do you need this for ?
>
>
>> /sbin/modprobe ip_tables
>>
>
>
>> /sbin/modprobe ip_conntrack
>>
>
>
>> /sbin/modprobe iptable_nat
>>
>
> These modules should be automatically loaded when needed.
>
>
>> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>>
>
> What do you need this for ?
>
>
>> iptables -t nat -A POSTROUTING -o admin0 -j SNAT --to 10.0.1.5
>>
>
> What do you need this for ? Does the scanner need to scan hosts in the
> admin network ?
>
>
>> How can I change this so that only packets from interface scanner0 can
>> get SNATed and nothing else ?
>>
>
> NAT is not a security feature, so forget about SNAT and concentrate on
> packet filtering. SNAT will handle only packets that have been accepted
> by the filtering rules. My suggestion is to add rules in the FORWARD
> chain to accept forwarded packets only to or from the scanner and drop
> the rest.
>
> # default policy = drop
> iptables -P FORWARD DROP
>
> # allow packets from the scanner to anywhere
> iptables -A FORWARD -i scanner0 -j ACCEPT
>
> # allow packets from anywhere to the scanner
> iptables -A FORWARD -o scanner0 -j ACCEPT
>
> This way, communication between VLANs is prohibited. Communication
> between the admin network and VLANs is prohibited to, but I think you
> don't need it.
>
>
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment