Is this iptables NAT exploitable from the external side?
- by Karma Fusebox
Could you please have a short look on this simple iptables/NAT-Setup, I believe it has a fairly serious security issue (due to being too simple).
On this network there is one internet-connected machine (running Debian Squeeze/2.6.32-5 with iptables 1.4.8) acting as NAT/Gateway for the handful of clients in 192.168/24.
The machine has two NICs:
eth0: internet-faced
eth1: LAN-faced, 192.168.0.1, the default GW for 192.168/24
Routing table is two-NICs-default without manual changes:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
(externalNet) 0.0.0.0 255.255.252.0 U 0 0 0 eth0
0.0.0.0 (externalGW) 0.0.0.0 UG 0 0 0 eth0
The NAT is then enabled only and merely by these actions, there are no more iptables rules:
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# (all iptables policies are ACCEPT)
This does the job, but I miss several things here which I believe could be a security issue:
there is no restriction about allowed source interfaces or source networks at all
there is no firewalling part such as:
(set policies to DROP)
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
And thus, the questions of my sleepless nights are:
Is this NAT-service available to anyone in the world who sets this machine as his default gateway? I'd say yes it is, because there is nothing indicating that an incoming external connection (via eth0) should be handled any different than an incoming internal connection (via eth1) as long as the output-interface is eth0 - and routing-wise that holds true for both external und internal clients that want to access the internet. So if I am right, anyone could use this machine as open proxy by having his packets NATted here. So please tell me if that's right or why it is not.
As a "hotfix" I have added a "-s 192.168.0.0/24" option to the NAT-starting command. I would like to know if not using this option was indeed a security issue or just irrelevant thanks to some mechanism I am not aware of.
As the policies are all ACCEPT, there is currently no restriction on forwarding eth1 to eth0 (internal to external). But what are the effective implications of currently NOT having the restriction that only RELATED and ESTABLISHED states are forwarded from eth0 to eth1 (external to internal)?
In other words, should I rather change the policies to DROP and apply the two "firewalling" rules I mentioned above or is the lack of them not affecting security?
Thanks for clarification!