NAT w/o firewall?

Benjamin Scott bscott at ntisys.com
Wed Dec 22 00:10:01 EST 2004


  Again, I know I'm late in this thread, but...

On Tue, 7 Dec 2004, at 11:44am, michael.odonnell at comcast.net wrote:
> I have a simple home network with a combination of machines behind a Linux
> box that's doing NAT/firewall duty.  If I rigged that NAT box such that
> it'd allow establishment of no inbound connections of any kind but
> forwarded all outbound connections from any machine behind it (doing NAT
> for all) couldn't I just basically turn off all other firewall functions
> in that NAT box?

  What's a firewall?

  Serious question.  Think about it.  A firewall is a device to control
network access.  It isn't a magic "make the network more secure" box.  How
much or how little control you want/need/should-have is not a function of
the implementation.  The kernel doesn't have a big red "firewall" switch; it
has tools you can use to various ends.  Some of those ends are called a
"firewall" by some people.  Exactly which get called "firewall" vary depend 
on who you ask.

  Now look at IPTables.  IPT includes packet selection, state tracking, and
rewriting

  To do simple masquerading (one-to-many dynamic NAT), we use: Selection
rules to determine which source addresses to masquerade; state tracking to
monitor which packets get associated with which connections; rewriting to
change the addresses and port numbers accordingly.

  To accomplish a standard firewall, we use the selection rules again, of 
course, to match packets we want or do not want; and the state tracking, to 
make it possible to say "allow these connections" rather then matching on 
packet characteristics.

  You'll notice that both masquerading and firewalling use the same
components for much the same reasons.  So how do you disable the "firewall
functions" while keeping the masquerading?

  You can even get a basic, although fairly restrictive, firewall with just
selection rules.  You drop everything but TCP, and you only allow TCP
packets inbound if they are not SYN (initiation) packets.  This is a classic
stateless packet filter, and was all we had with kernel 2.2.

> If I rigged that NAT box such that it'd allow establishment of no inbound
> connections of any kind ...

  Doesn't that qualify as a firewall policy?  A rather typical one at that,
in fact.  Most of your "SOHO routers" do just that.  At least, one hopes
they do.

> ... even if I had a fancy set of firewall rules in effect.

  Fancy?  How about:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A INPUT -m state --state ! ESTABLISHED,RELATED -j REJECT
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ! ESTABLISHED,RELATED -j REJECT

  That will deny anything inbound you didn't start yourself.

  Disclaimer: It's late and I'm tired.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |




More information about the gnhlug-discuss mailing list