Section 11.2 IP Masquerading Fails for ICMP

   


11.2 IP Masquerading Fails for ICMP

graphics/threedangerlevel.gif

IP Masquerading (NAT) has several major advantages for security:

  1. It prevents many attacks against an internal network from the Internet, because it prevents a system on the Internet from addressing internal systems. (A cracker still can attack ports on the firewall that are being mapped to internal systems in the hope of accidentally hitting one with the correct spoofed source address and port, but this is rare so far.)

  2. It makes it hard for an attacker to map out someone's internal network because he "can't get there from here."

  3. It allows many internal systems to have Internet access without needing multiple real IP addresses.

Conversely, a serious bug in IP Tables does allow the cracker to get there. This bug prevents any ICMP message originating from an internal system from being Masqueraded. Instead, an ICMP error response will have as its payload the source address of the internal system. This allows a cracker to map out your internal network.

This serious problem, along with other design flaws (such as a lack of the simple -l flag for logging that IP Chains has), causes me to consider IP Tables still to be in beta stage and not to be a clear winner over IP Chains. This bug is in all versions of IP Tables before 1.2.6a and affects kernels between 2.4.4 and at least 2.4.19, and affects DNAT when routed to internal systems (and possibly other scenarios).

This affects most or all major distributions of Linux running a 2.4 kernel released through 2002, including Red Hat 7.3, SuSE 8.0, Slackware 8.0, and Mandrake 8.2. Obtain the patch from your distribution's Web site or from

www.netfilter.org/security/2002-04-02-icmp-dnat.html

One workaround is to have an IP Tables rule to block all ICMP rules from being sent to the Internet. The following rule will do this.

 
 iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP 

I am adamant that most firewalls should block all ICMP rules from being sent to the Internet anyway (except for trusted systems doing ping and traceroute commands). While many security "experts" will tell you that blocking ICMP packets will cause fragmentation requests to fail and for horrible things to happen, the reality based on my blocking them for years for many clients is that no such problem will occur.


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net