Need an iptables module for hiding NAT.

Need an iptables module for hiding NAT.

[Artūras Šlajus]

Hello,

I don't really know if this is the right list so excuse me if I missed 
right spot. Anyway, here is my deal:

I need iptables module which would hide NAT. It means that all traffic 
being routed through the machine which is running netfilter and doing 
routing should be seen as originating from that host.

I have searched the net and found this:
http://lists.netfilter.org/pipermail/netfilter/2004-November/056947.html

It basically (probably) describes all factors how NAT detection works.

I have also found this article describing how to write such module for 
Windows NT (in Russian):
http://www.xakep.ru/post/29448/default.asp

I basically need to hide my network from such tools as 
http://elceef.itsec.pl/natdet/

I am willing to pay you for developing it. Name your price and perhaps 
we can negotiate something out of it.

I hope somebody can help me, any shared thoughts about difficulty of 
doing such task and time involved would be appreciated (i'm a programmer 
myself, just not C and kernel ;-))

Good day, Artūras Šlajus.

Re: Need an iptables module for hiding NAT.

[Carl-Daniel Hailfinger]

Artūras Šlajus wrote:
> I need iptables module which would hide NAT. It means that all traffic
> being routed through the machine which is running netfilter and doing
> routing should be seen as originating from that host.
> 
> I have searched the net and found this:
> http://lists.netfilter.org/pipermail/netfilter/2004-November/056947.html

I worked on IP Personality a few years ago. However, the netfilter
framework has changed a lot since then and I doubt much of the code
is reusable. It already had its share of problems with the netfilter
updates in the 2.4.x kernel series.

Regards,
Carl-Daniel
-- 
http://www.hailfinger.org/

Re: Need an iptables module for hiding NAT.

[Artūras Šlajus]

Carl-Daniel Hailfinger wrote:
> I worked on IP Personality a few years ago. However, the netfilter
> framework has changed a lot since then and I doubt much of the code
> is reusable. It already had its share of problems with the netfilter
> updates in the 2.4.x kernel series.

Is there any hope you could resume your work? :)

Re: Need an iptables module for hiding NAT.

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 336 bytes --]

mån 2007-02-05 klockan 17:59 +0200 skrev Artūras Šlajus:

> I need iptables module which would hide NAT. It means that all traffic 
> being routed through the machine which is running netfilter and doing 
> routing should be seen as originating from that host.

The easiest is to proxy instead of natting..

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: Need an iptables module for hiding NAT.

[Rémi Denis-Courmont]

[-- Attachment #1: Type: text/plain, Size: 1096 bytes --]

Le lundi 5 février 2007 17:59, Artūras Šlajus a écrit :
> I need iptables module which would hide NAT. It means that all
> traffic being routed through the machine which is running netfilter
> and doing routing should be seen as originating from that host.
(...)

I think QEMU already does that when using the "userland" driver on the 
host side for the guest NIC. As far as I understand, this is done using 
an antique piece of BSD code known as slirp. It should not be very 
complicated to reuse modify slirp to use a network card (the 
internal-side NIC of the stealth NAT box) instead of a PPP interface 
(as slirp originally did) or a virtual NE2000 (as QEMU does). A small 
extra tweak will probably be needed to steal packets from Linux IP 
stack.

Of course, it's not exactly hiding the NAT, since there is no more real 
NAT.

> I hope somebody can help me, any shared thoughts about difficulty of
> doing such task and time involved would be appreciated (i'm a
> programmer myself, just not C and kernel ;-))

-- 
Rémi Denis-Courmont
http://www.remlab.net/

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: Need an iptables module for hiding NAT.

[Artūras Šlajus]

Henrik Nordstrom wrote:
> mån 2007-02-05 klockan 17:59 +0200 skrev Artūras Šlajus:
> 
>> I need iptables module which would hide NAT. It means that all traffic 
>> being routed through the machine which is running netfilter and doing 
>> routing should be seen as originating from that host.
> 
> The easiest is to proxy instead of natting..

proxying doesn't work, i need full nat with conntrack and traffic shaping =)

Re: Need an iptables module for hiding NAT.

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]

mån 2007-02-05 klockan 23:16 +0200 skrev Rémi Denis-Courmont:

> I think QEMU already does that when using the "userland" driver on the 
> host side for the guest NIC. As far as I understand, this is done using 
> an antique piece of BSD code known as slirp. It should not be very 
> complicated to reuse modify slirp to use a network card (the 
> internal-side NIC of the stealth NAT box) instead of a PPP interface 
> (as slirp originally did) or a virtual NE2000 (as QEMU does).

Indeed. The simplest way of doing so would be to grab slirpvde and
modify it slightly to run to a tun/tap device instead of vde. but slirp
do have some limitations..

I keep my recommendation of using a proxy, and netfilter NAT or TPROXY
to deliver the traffic to the proxy. If you want to get fancy you can
combine it with a NFQUEUE filter to defer SYN from being delivered to
the proxy until you know the site is reachable..

You still have full conntrack and shaping capabilities in such design.
Just needs to be applied slightly differently.

> A small 
> extra tweak will probably be needed to steal packets from Linux IP 
> stack.

Not much. Just a little policy routing and a tun/tap device to deliver
the packets to userland..

> Of course, it's not exactly hiding the NAT, since there is no more real 
> NAT.

Also not much netfilter..

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: Need an iptables module for hiding NAT.

[Artūras Šlajus]

Henrik Nordstrom wrote:
> I keep my recommendation of using a proxy, and netfilter NAT or TPROXY
> to deliver the traffic to the proxy. If you want to get fancy you can
> combine it with a NFQUEUE filter to defer SYN from being delivered to
> the proxy until you know the site is reachable..

excuse me, what do you mean using proxy? Something like squid?

Re: Need an iptables module for hiding NAT.

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 812 bytes --]

tis 2007-02-06 klockan 16:39 +0200 skrev Artūras Šlajus:
> Henrik Nordstrom wrote:
> > I keep my recommendation of using a proxy, and netfilter NAT or TPROXY
> > to deliver the traffic to the proxy. If you want to get fancy you can
> > combine it with a NFQUEUE filter to defer SYN from being delivered to
> > the proxy until you know the site is reachable..
> 
> excuse me, what do you mean using proxy? Something like squid?

Was thinking writing something simpler with less protocol knowledge,
acting mainly as a TCP/UDP proxy for Netfilter, and implementing the
little protocol helpers you may need.

You probably only need a TCP proxy to acheive your goals. It's quite
unlikely fingerprinting will detect SNAT:ed UDP or GRE traffic as
originating from different hosts..

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]