11.2 IP Masquerading Fails for ICMPIP Masquerading (NAT) has several major advantages for security:
Conversely, a serious bug in IP Tables does allow the cracker to get there. This bug prevents any ICMP message originating from an internal system from being Masqueraded. Instead, an ICMP error response will have as its payload the source address of the internal system. This allows a cracker to map out your internal network. This serious problem, along with other design flaws (such as a lack of the simple -l flag for logging that IP Chains has), causes me to consider IP Tables still to be in beta stage and not to be a clear winner over IP Chains. This bug is in all versions of IP Tables before 1.2.6a and affects kernels between 2.4.4 and at least 2.4.19, and affects DNAT when routed to internal systems (and possibly other scenarios). This affects most or all major distributions of Linux running a 2.4 kernel released through 2002, including Red Hat 7.3, SuSE 8.0, Slackware 8.0, and Mandrake 8.2. Obtain the patch from your distribution's Web site or from www.netfilter.org/security/2002-04-02-icmp-dnat.html One workaround is to have an IP Tables rule to block all ICMP rules from being sent to the Internet. The following rule will do this. iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP I am adamant that most firewalls should block all ICMP rules from being sent to the Internet anyway (except for trusted systems doing ping and traceroute commands). While many security "experts" will tell you that blocking ICMP packets will cause fragmentation requests to fail and for horrible things to happen, the reality based on my blocking them for years for many clients is that no such problem will occur. |
Top |