All of lore.kernel.org
 help / color / mirror / Atom feed
* OUTPUT DNAT AND FILTERING - scenario
@ 2007-02-21 10:55 Giacomo
  2007-02-23  0:01 ` Henrik Nordstrom
  0 siblings, 1 reply; 3+ messages in thread
From: Giacomo @ 2007-02-21 10:55 UTC (permalink / raw)
  To: netfilter devel

Good morning to all.

These days i was thinking about this network scenario:


BROWSER WEB --> PROXY WEB --> INTERNET

1st scenario:

Suppose that the user wants to block connections towards the web site
x.y.z.w:80

and that the local nat is setup to redirect automatically all connections
to the port 80 towards the proxy_address:8080

iptables -t nat -A OUTPUT -j DNAT -p tcp --to PROXY_IP:8080

and the user wants to block the site x.y.z.w:80:

iptables -t filter -A OUTPUT -d x.y.z.w:80 -j DROP

This does not really block the traffic towards the x.y.z.w:80 service
because the FILTER is applied AFTER the address translation.

Instead the rule

iptables -t filter -A OUTPUT -d PROXY_IP:8080 -j DROP

blocks the traffic towards the proxy web, demonstrating that the
filter is applied
AFTER the DNAT translation.

I was wondering the reason why this kind of implementation: while it
could be useful
to drop the traffic towards some specific site/machine also if behind
a web proxy,
on the other side a workstation administrator would normally never insert a DNAT
OUTPUT rule to redirect connections to another address and at the same time
want to block the traffic in that new direction...

Another observation is the following.
If FILTERING was done BEFORE the OUTPUT DNAT an administrator could

1. block outgoing traffic towards a specific undesired address;
2. force each connection towards port 80 to be redirected to PROXY:8080
    with an OUTPUT DNAT rule
3. Guarantee that the unwanted connection be blocked inserting a DROP rule
    in OUTPUT chain towards the PROXY_IP:8080
    (i.e. one cannot tell his browser web to contact the proxy
directly to bypass
    the OUTPUT filter... since the check would be done BEFORE the OUTPUT DNAT)

Finally, my question is very simple:
why doues iptables apply the FILTER rules AFTER the OUTPUT DNAT and not
before, when the packet still has the original destination address?

Thanks a lot for any answer.

Giacomo Strangolino, Italy.







-- 
Giacomo S.
http://www.giacomos.it

- - - - - - - - - - - - - - - - - - - - - -

IPFIREwall (http://www.giacomos.it/ipfire) viene presentato
all'Universita` degli Studi di Udine, il 28 ottobre, in occasione del
Linux Day 2006:
http://iglu.cc.uniud.it/linuxday

- - - - - - - - - - - - - - - - - - - - - -

 . ''  `.
:   :'    :
 `.  ` '
    `- Debian GNU/Linux -- The power of freedom
        http://www.debian.org

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: OUTPUT DNAT AND FILTERING - scenario
  2007-02-21 10:55 OUTPUT DNAT AND FILTERING - scenario Giacomo
@ 2007-02-23  0:01 ` Henrik Nordstrom
  2007-02-23 13:04   ` Jan Engelhardt
  0 siblings, 1 reply; 3+ messages in thread
From: Henrik Nordstrom @ 2007-02-23  0:01 UTC (permalink / raw)
  To: Giacomo; +Cc: netfilter devel

[-- Attachment #1: Type: text/plain, Size: 568 bytes --]

ons 2007-02-21 klockan 11:55 +0100 skrev Giacomo:

> Finally, my question is very simple:
> why doues iptables apply the FILTER rules AFTER the OUTPUT DNAT and not
> before, when the packet still has the original destination address?

Because this is the way iptables is designed.

Simplified packet flow:

mangle -> nat DNAT -> [routing] -> filter -> nat SNAT -> mangle

To deal with this cleanly within the filter table there is the conntrack
match allowing you to filter based on connection details rather than the
packet details.

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: OUTPUT DNAT AND FILTERING - scenario
  2007-02-23  0:01 ` Henrik Nordstrom
@ 2007-02-23 13:04   ` Jan Engelhardt
  0 siblings, 0 replies; 3+ messages in thread
From: Jan Engelhardt @ 2007-02-23 13:04 UTC (permalink / raw)
  To: Henrik Nordstrom; +Cc: Giacomo, netfilter devel


On Feb 23 2007 01:01, Henrik Nordstrom wrote:
>ons 2007-02-21 klockan 11:55 +0100 skrev Giacomo:
>
>> Finally, my question is very simple:
>> why doues iptables apply the FILTER rules AFTER the OUTPUT DNAT and not
>> before, when the packet still has the original destination address?

Why would you need to? If you want to match on the original addresses use
 -m conntrack --ctorigsrc or --ctorigdst

>Because this is the way iptables is designed.
>
>Simplified packet flow:
>
>mangle -> nat DNAT -> [routing] -> filter -> nat SNAT -> mangle
>
>To deal with this cleanly within the filter table there is the conntrack
>match allowing you to filter based on connection details rather than the
>packet details.
>
>Regards
>Henrik
>

Jan
-- 
ft: http://freshmeat.net/p/chaostables/

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-02-23 13:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-02-21 10:55 OUTPUT DNAT AND FILTERING - scenario Giacomo
2007-02-23  0:01 ` Henrik Nordstrom
2007-02-23 13:04   ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.