Joining subnets

billbo · External Since: Aug 20, 2009 Posts: 4

I am currently using nat to join two subnets for internal access to
services and am wondering if there is a more elegant solution.

eg.

net1 192.168.10.0
net2 192.168.11.0

net1 is our local lan and net2 is our servers. To avoid having to
cross two firewalls I am using a linux box with nat + firewall + dns +
routing on the local machines to give access to the servers. This is
very awkward, is there a better solution? I still want to limit
traffic between the subnets to only those services that are made
public on the net2 subnet.

David Schwartz · External Since: Apr 29, 2007 Posts: 57

On Aug 20, 6:38 am, billbo <bpl....RemoveThis@buyowner.com> wrote:
> I am currently using nat to join two subnets for internal access to
> services and am wondering if there is a more elegant solution.
>
> eg.
>
> net1 192.168.10.0
> net2 192.168.11.0
>
> net1 is our local lan and net2 is our servers. To avoid having to
> cross two firewalls I am using a linux box with nat + firewall + dns +
> routing on the local machines to give access to the servers. This is
> very awkward, is there a better solution? I still want to limit
> traffic between the subnets to only those services that are made
> public on the net2 subnet.

I don't understand your question. What does NAT have to do with
anything?

DS

Moe Trin · External Since: Aug 12, 2004 Posts: 1732

On Thu, 20 Aug 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <11f4736f-7bc5-427c-a371-49590015f980 DeleteThis @g23g2000vbr.googlegroups.com>,
billbo wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>I am currently using nat to join two subnets for internal access to
>services and am wondering if there is a more elegant solution.

Not very much details, but why do you need NAT?

>net1 192.168.10.0
>net2 192.168.11.0
>
>net1 is our local lan and net2 is our servers.

Vague, but OK.

>To avoid having to cross two firewalls I am using a linux box with
>nat + firewall + dns + routing on the local machines to give access
>to the servers. This is very awkward, is there a better solution?

Your description isn't very clear, but why do you need NAT between
the two subnets? The normal setup would just do ordinary routing.

Net 1:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
192.168.11.0 192.168.10.6 255.255.255.0 UG 0 0 32165 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
0.0.0.0 192.168.10.248 0.0.0.0 UG 0 0 2673 eth0

NET 2:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
192.168.10.0 192.168.11.6 255.255.255.0 UG 0 0 32165 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo

This allows net 1 to talk to the world via the gateway at 192.168.10.248
and to net 2 via a different gateway. Net 2 here only talks to net 1
via the gateway between the two. If net 2 needs to talk to the world
as well, change the routing to

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
0.0.0.0 192.168.11.6 0.0.0.0 UG 0 0 2673 eth0

As these are RFC1918 addresses, your gateway to the world (here shown as
192.168.10.248) would be doing any NAT and port forwarding from outside.

>I still want to limit traffic between the subnets to only those services
>that are made public on the net2 subnet.

For that, you need some kind of filter - be it a firewall on the router
between the two, or using tcp_wrappers ('man 5 hosts_access') on the
server to limit who they will listen to. Note that if there is no
server listening on port $FOO on any server on net 2, blocking port
$FOO on the router serves no useful purpose. There won't be any traffic
to a port without a destination.

Old guy

billbo · External Since: Aug 20, 2009 Posts: 4

On Aug 20, 4:10 pm, ibupro....RemoveThis@painkiller.example.tld (Moe Trin) wrote:
> On Thu, 20 Aug 2009, in the Usenet newsgroup comp.os.linux.networking, in
> article <11f4736f-7bc5-427c-a371-49590015f....RemoveThis@g23g2000vbr.googlegroups.com>,
>
> billbo wrote:
>
> NOTE: Posting from groups.google.com (or some web-forums) dramatically
> reduces the chance of your post being seen. Find a real news server.
>
> >I am currently using nat to join two subnets for internal access to
> >services and am wondering if there is a more elegant solution.
>
> Not very much details, but why do you need NAT?
>
> >net1 192.168.10.0
> >net2 192.168.11.0
>
> >net1 is our local lan and net2 is our servers.
>
> Vague, but OK.
>
> >To avoid having to cross two firewalls I am using a linux box with
> >nat + firewall + dns + routing on the local machines to give access
> >to the servers. This is very awkward, is there a better solution?
>
> Your description isn't very clear, but why do you need NAT between
> the two subnets? The normal setup would just do ordinary routing.
>
> Net 1:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
> 192.168.11.0 192.168.10.6 255.255.255.0 UG 0 0 32165 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
> 0.0.0.0 192.168.10.248 0.0.0.0 UG 0 0 2673 eth0
>
> NET 2:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
> 192.168.10.0 192.168.11.6 255.255.255.0 UG 0 0 32165 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
>
> This allows net 1 to talk to the world via the gateway at 192.168.10.248
> and to net 2 via a different gateway. Net 2 here only talks to net 1
> via the gateway between the two. If net 2 needs to talk to the world
> as well, change the routing to
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
> 0.0.0.0 192.168.11.6 0.0.0.0 UG 0 0 2673 eth0
>
> As these are RFC1918 addresses, your gateway to the world (here shown as
> 192.168.10.248) would be doing any NAT and port forwarding from outside.
>
> >I still want to limit traffic between the subnets to only those services
> >that are made public on the net2 subnet.
>
> For that, you need some kind of filter - be it a firewall on the router
> between the two, or using tcp_wrappers ('man 5 hosts_access') on the
> server to limit who they will listen to. Note that if there is no
> server listening on port $FOO on any server on net 2, blocking port
> $FOO on the router serves no useful purpose. There won't be any traffic
> to a port without a destination.
>
> Old guy

The servers subnet and the lan subnet are not physically connected.
The linux nat firewall is being used to connect them only at specified
ports and ip addresses like a bridge. Each lan client is then routed
to this bridge to access services on the server subnet. By using
nat, I do not have to worry about routing to the lan network from the
servers. The nat fw also seems to offer better isolation as the lan
network is being treated as an untrusted network.

billbo · External Since: Aug 20, 2009 Posts: 4

On Aug 24, 8:42 am, Wolfgang Draxinger <Wolfgang.Draxin... DeleteThis @physik.uni-
muenchen.de> wrote:
> billbo wrote:
> > The servers subnet and the lan subnet are not physically connected.
> > The linux nat firewall is being used to connect them only at specified
> > ports and ip addresses like a bridge. Each lan client is then routed
> > to this bridge to access services on the server subnet. By using
> > nat, I do not have to worry about routing to the lan network from the
> > servers. The nat fw also seems to offer better isolation as the lan
> > network is being treated as an untrusted network.
>
> NAT is *not* a security feature. It never was meant as such and it will
> never be.
>
> Just use normal routing and apply apropriate firewall rules to limit access
> to certain ports and IP ranges. Bonus: No headaches due to strange failure
> modes.
>
> Please, no arguing about that, it's just that way.
>
> Wolfgang

The fw+nat (fw being iptables) is the security feature and is used to
limit ports and IP addresses, the nat is to avoid having to route from
the server network. The NAT is also effective in preventing the
spread of broadcast junk and garbage and prevents my logs from getting
filled up with martian source errors. Also, JUST a FYI, while NAT in
itself is not an acceptable security solution, most network nasties
cannot traverse NAT nor can they scan through NAT, the same cannot be
said about routed networks.

I thank you for your time, but I think the current solution, which has
been in use for 8 years, offers more benefits than regular routing. I
will look into iproute2 as it allows port based redirection and
integrates with iptables quite nicely.

David Schwartz · External Since: Apr 29, 2007 Posts: 57

On Aug 24, 5:39 am, billbo <bpl....TakeThisOut@buyowner.com> wrote:

> The servers subnet and the lan subnet are not physically connected.
> The linux nat firewall is being used to connect them only at specified
> ports and ip addresses like a bridge. Each lan client is then routed
> to this bridge to access services on the server subnet. By using
> nat, I do not have to worry about routing to the lan network from the
> servers. The nat fw also seems to offer better isolation as the lan
> network is being treated as an untrusted network.

Well then the answer to your question is obvious -- the more elegant
solution than using NAT is not using NAT. The NAT serves almost no
purpose, so just get rid of it.

DS

Wolfgang Draxinger · External Since: Aug 24, 2009 Posts: 1

billbo wrote:

> The servers subnet and the lan subnet are not physically connected.
> The linux nat firewall is being used to connect them only at specified
> ports and ip addresses like a bridge. Each lan client is then routed
> to this bridge to access services on the server subnet. By using
> nat, I do not have to worry about routing to the lan network from the
> servers. The nat fw also seems to offer better isolation as the lan
> network is being treated as an untrusted network.

NAT is *not* a security feature. It never was meant as such and it will
never be.

Just use normal routing and apply apropriate firewall rules to limit access
to certain ports and IP ranges. Bonus: No headaches due to strange failure
modes.

Please, no arguing about that, it's just that way.

Wolfgang

billbo · External Since: Aug 20, 2009 Posts: 4

On Aug 24, 10:57 am, Pascal Hambourg <boite-a-s....DeleteThis@plouf.fr.eu.org>
wrote:
> Hello,
>
> billbo a écrit :
>
>
>
> > The fw+nat (fw being iptables) is the security feature and is used to
> > limit ports and IP addresses,
>
> The firewall only is the security feature. The NAT is not.
>
> > the nat is to avoid having to route from the server network.
>
> This is the only purpose of the NAT in your setup.

And reason enough to keep it.

>
> > The NAT is also effective in preventing the
> > spread of broadcast junk and garbage
>
> Huh ? Regular routing doesn't forward broadcast, this has nothing to do
> with NAT. Regular routing is not transparent bridging.

Where do broadcast packets sent to x.255.255.255 go? That would be
to all subnets on the network wouldn't it? How would simple routing
stop these seemignly legit packets from passing?

>
> > and prevents my logs from getting
> > filled up with martian source errors.
>
> You get martians because the server network has no route to the client
> subnet. Add the proper route and you won't see martians.

martians will also be logged if a broadcast is sent to the entire
network from a workstation on a different subnet.

in this case, a compromised machine at 192.168.10.100 could send
broadcasts on 192.168.255.255 which could reach a server at
192.168.11.5 and the server at 192.168.11.5 would log a martian.

>
> > Also, JUST a FYI, while NAT in
> > itself is not an acceptable security solution, most network nasties
> > cannot traverse NAT nor can they scan through NAT, the same cannot be
> > said about routed networks.
>
> Nonsense. Anything that can pass through regular routing and filtering
> can still pass when you add NAT. NAT does not do any filtering. NAT is
> just a workaround for broken routing.
>
> > I will look into iproute2 as it allows port based redirection
>
> Huh ? What do you mean by "port redirection" ? Destination NAT ?

Port based routing where I can redirect traffic from a specific port
to a specific port at another IP.

David Schwartz · External Since: Apr 29, 2007 Posts: 57

On Aug 24, 9:21 am, billbo <bpl....DeleteThis@buyowner.com> wrote:

> > > the nat is to avoid having to route from the server network.
>
> > This is the only purpose of the NAT in your setup.
>
> And reason enough to keep it.

Umm, huh?

> > > The NAT is also effective in preventing the
> > > spread of broadcast junk and garbage

> > Huh ? Regular routing doesn't forward broadcast, this has nothing to do
> > with NAT. Regular routing is not transparent bridging.

> Where do broadcast packets sent to x.255.255.255 go? That would be
> to all subnets on the network wouldn't it? How would simple routing
> stop these seemignly legit packets from passing?

Simple routing would stop those packets by simply not routing them.

> > > and prevents my logs from getting
> > > filled up with martian source errors.
>
> > You get martians because the server network has no route to the client
> > subnet. Add the proper route and you won't see martians.
>
> martians will also be logged if a broadcast is sent to the entire
> network from a workstation on a different subnet.

How does NAT stop that? Answer -- the same way routing does -- by not
passing those packets.

> in this case, a compromised machine at 192.168.10.100 could send
> broadcasts on 192.168.255.255 which could reach a server at
> 192.168.11.5 and the server at 192.168.11.5 would log a martian.

Since it just sent that packet on the wrong network, it would never be
seen by the server at 192.168.11.5 unless something either NATed it or
routed it onto the other network. Both solutions solve this problem
the same way -- they simply don't pass the packet to the other
network.

Any problem you solve with NAT by not NATing the packet can be better
solved with routing the same way -- don't route the packet. NAT serves
no purpose in your setup.

DS

Pascal Hambourg · External Since: Oct 11, 2006 Posts: 186

Hello,

billbo a écrit :
>
> The fw+nat (fw being iptables) is the security feature and is used to
> limit ports and IP addresses,

The firewall only is the security feature. The NAT is not.

> the nat is to avoid having to route from the server network.

This is the only purpose of the NAT in your setup.

> The NAT is also effective in preventing the
> spread of broadcast junk and garbage

Huh ? Regular routing doesn't forward broadcast, this has nothing to do
with NAT. Regular routing is not transparent bridging.

> and prevents my logs from getting
> filled up with martian source errors.

You get martians because the server network has no route to the client
subnet. Add the proper route and you won't see martians.

> Also, JUST a FYI, while NAT in
> itself is not an acceptable security solution, most network nasties
> cannot traverse NAT nor can they scan through NAT, the same cannot be
> said about routed networks.

Nonsense. Anything that can pass through regular routing and filtering
can still pass when you add NAT. NAT does not do any filtering. NAT is
just a workaround for broken routing.

> I will look into iproute2 as it allows port based redirection

Huh ? What do you mean by "port redirection" ? Destination NAT ?

Moe Trin · External Since: Aug 12, 2004 Posts: 1732

On Mon, 24 Aug 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <69e15fde-f7e6-47fa-85b1-f2cac9cbd517.DeleteThis@c34g2000yqi.googlegroups.com>,
billbo wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

ibupro....DeleteThis@painkiller.example.tld (Moe Trin) wrote:

>> Net 1:
>>
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use Iface
>> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
>> 192.168.11.0 192.168.10.6 255.255.255.0 UG 0 0 32165 eth0
>> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
>> 0.0.0.0 192.168.10.248 0.0.0.0 UG 0 0 2673 eth0
>>
>> NET 2:
>>
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use Iface
>> 192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 89948 eth0
>> 192.168.10.0 192.168.11.6 255.255.255.0 UG 0 0 32165 eth0
>> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 388 lo
>>
>> This allows net 1 to talk to the world via the gateway at 192.168.10.248
>> and to net 2 via a different gateway.

>The servers subnet and the lan subnet are not physically connected.

That's what it shows above. The world has only been doing this for maybe
24 years - see RFC0950, RFC1122, RFC1219 and RFC1812 available through
your favorite search engine. The box at 192.168.10.6 and 192.168.11.6 is
a router with two NICs.

>The linux nat firewall is being used to connect them only at specified
>ports and ip addresses like a bridge.

Sounds much more complicated that it needs to be

>Each lan client is then routed to this bridge to access services on
>the server subnet. By using nat, I do not have to worry about routing
>to the lan network from the servers. The nat fw also seems to offer
>better isolation as the lan network is being treated as an untrusted
>network.

Routing does not have forward every packet for every port/address.

In your response to Wolfgang Draxinger, you state

>The fw+nat (fw being iptables) is the security feature and is used to
>limit ports and IP addresses, the nat is to avoid having to route from
>the server network.

Using a firewall is fine - but the NAT adds nothing and only adds problems.
It also complicates logging and access control.

>The NAT is also effective in preventing the spread of broadcast junk
>and garbage and prevents my logs from getting filled up with martian
>source errors.

Martian source errors are due to a lack of a route. Were this not the
case, don't you think that every computer connected to the Internet
would be reporting martian sources for every OTHER computer in the
world? It doesn't happen if the route exists. Mind you, the router
doesn't have to forward every packet to every address, so security
isn't a problem. Likewise, tcp_wrappers have been around for 15 years
(the last change was March 1997).

>Also, JUST a FYI, while NAT in itself is not an acceptable security
>solution, most network nasties cannot traverse NAT nor can they scan
>through NAT, the same cannot be said about routed networks.

Apparently, no one has ever heard of policy routing - it too has only
been around for over 20 years, such that there are about 12 RFCs on
the subject.

Old guy

Pascal Hambourg · External Since: Oct 11, 2006 Posts: 186

billbo a écrit :
> On Aug 24, 10:57 am, Pascal Hambourg wrote:
>> billbo a écrit :
>>
>>> the nat is to avoid having to route from the server network.
>>
>> This is the only purpose of the NAT in your setup.
>
> And reason enough to keep it.

Fine, then. But do not claim it adds any security. Adding NAT creates
security issues : NAT hides the client real addresses from the servers,
making logging and access control difficult as Moe pointed out.

> Where do broadcast packets sent to x.255.255.255 go? That would be
> to all subnets on the network wouldn't it? How would simple routing
> stop these seemignly legit packets from passing?

Aren't all-subnet broadcast supposed to be deprecated ?
Anyway, I do not see how NAT would help it in any way. If your Linux
router happens to forwards any kind of packets you don't want it to, you
just add filtering rules and block them. NAT rules do not block packets,
they just change their IP addresses and/or ports.

> martians will also be logged if a broadcast is sent to the entire
> network from a workstation on a different subnet.

Not it your hosts have the proper routes. Again, see Moe's reply.

>>> I will look into iproute2 as it allows port based redirection
>>
>> Huh ? What do you mean by "port redirection" ? Destination NAT ?
>
> Port based routing where I can redirect traffic from a specific port
> to a specific port at another IP.

This is indeed destination NAT as performed by the iptables DNAT target.
It has strictly nothing to do with iproute2.

David Schwartz · External Since: Apr 29, 2007 Posts: 57

On Aug 24, 7:27 am, billbo <bpl....DeleteThis@buyowner.com> wrote:

> The fw+nat (fw being iptables) is the security feature and is used to
> limit ports and IP addresses, the nat is to avoid having to route from
> the server network.

The firewall part is the security feature, not the NAT.

> The NAT is also effective in preventing the
> spread of broadcast junk and garbage and prevents my logs from getting
> filled up with martian source errors.

Right, and how does it stop broadcast junk? By not NATing it. Guess
what? Routing does the same thing the same way -- by not routing it.

> Also, JUST a FYI, while NAT in
> itself is not an acceptable security solution, most network nasties
> cannot traverse NAT nor can they scan through NAT, the same cannot be
> said about routed networks.

The nasties don't have to do anything special to traverse NAT or scan
through NAT. They simply have to send ordinary traffic and the NAT
does its job, which is to provide connectivity. This is a common
source of confusion because many NAT implementations have built in
limited firewalls, so sometimes people think the NAT is providing some
kind of security. NAT's job is to pass any traffic it can figure out
how to pass. It's job is to make private IP addressing as invisible as
practical. It's job is to *help* malware get through, if it can. If it
blocks anything, it's only because it can't figure out where to send
it.

A given malicious packet will either pass or it will not. If NAT+fw
fails to NAT it, then similarly a router+fw can fail to route it.
There is no security difference.

> I thank you for your time, but I think the current solution, which has
> been in use for 8 years, offers more benefits than regular routing. I
> will look into iproute2 as it allows port based redirection and
> integrates with iptables quite nicely.

Please name one benefit. I don't think you can.

The security issue is bogus. Anything NAT can fail to NAT, a router
can fail to route, for the same reasons.

DS