stateless nat all around

stateless nat series: part1 | part2 | part3

IMAGE HERE

lessons learned

UDP can live with just src ip spoofing on the way out.

TCP needs custom nat rules (self-made snat & dnat) to catch any packet (not just SYN).

lbs (inbound traffic)

DIY DNAT – catch all TCP packets, not only SYN

flush ruleset

table ip diy-dnat {
    chain prerouting {
        type filter hook prerouting priority mangle;

        # translate inbound destination address (stateless)
        iif eth0 tcp dport   80 notrack ip daddr set 10.1.1.1
        iif eth0 tcp dport 1234 notrack ip daddr set 10.1.1.1
        iif eth0 udp dport 1234 notrack ip daddr set 10.1.1.1
        iif eth0 tcp dport 2201 notrack ip daddr set 10.1.1.1 tcp dport set 22;
    }
}

gw (outbound traffic)

DIY SNAT – catch all TCP packets, not only SYN – and spoof lbs' IP address (needed for both TCP and UDP)

flush ruleset

table ip diy-snat-spoof {
    chain postrouting {
    type filter hook postrouting priority mangle;

        # translate outbound source address and port (stateless)
        oif eth0 ip saddr 10.1.1.1/32 tcp sport 22 tcp sport set 2201
        oif eth0 ip saddr 10.1.1.0/24 notrack ip saddr set 192.168.122.12
    }
}

acceptance testing

diy-snat-spoof (tcp)

we are just checking that SNAT+SPOOF works for now.

send some requests from workstation

curl -I 192.168.122.12
ssh 192.168.122.12 -l root -p 2201

sniff what is coming out as an answer on gw

tcpdump -ni eth0 not tcp port 22

04:33:25.450833 IP 192.168.122.12.80 > 192.168.122.1.44252: Flags [S.], seq 47328729, ack 2311807596, win 65160, options [mss 1460,sackOK,TS val 2345412055 ecr 3985664520,nop,wscale 5], length 0

==> so far so good, we now see 192.168.122.12 instead of 10.1.1.1, eventhough we’re on established TCP

udp all around

on server

ncat -ulvp 1234 -e /bin/bash

on workstation

ncat -nvu 192.168.122.12 1234

> echo test ok

==> works, we are spoofing 192.168.122.12 alright

tcp all around

on server

ncat -lvp 1234 -e /bin/bash

on workstation

ncat -nv 192.168.122.12 1234

> echo test ok

==> works after enabling diy-dnat (diy-snat-spoof was not enough as we were getting RSTs)

HOME | GUIDES | PLAYBOOKS | LECTURES | LAB | CONTACT | HTML | CSS
Licensed as MIT