[Pkg-xen-devel] Bug#430676: xen-utils-common: network-nat increates insecure nat POSTROUTING MASQUERADE ?
Olivier Berger
olivier.berger at int-edu.eu
Tue Jun 26 14:10:08 UTC 2007
Package: xen-utils-common
Version: 3.0.3-0-2
Severity: normal
I'm not an expert in networking but I think that the current setup when using network-nat for domains is insecure.
I've configured :
(network-script 'network-nat netdev=eth1')
(vif-script vif-nat)
So when only domain 0 is started, I get the following :
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
hortense:~# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AFAICT, this means that NAT is active even though no vif interface was started yet, and is potentially insecure since the default FORWARD rule is accept.
My assumption on the insecure setup is from reading http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html :
Common mistakes:
It appears that a common mistake with new IP Masq users is to make the first command simply the following:
IPTABLES:
---------
iptables -t nat -A POSTROUTING -j MASQUERADE
Do NOT make your default policy MASQUERADING. Otherwise, someone can manipulate their routing tables to tunnel straight back through your gateway, using it to masquerade their OWN identity!
Maybe I'm wrong or there's another interaction, but I think that the masquerade should be started only when the first domU is tarted, and not when xend is started.
Btw, I cannot find a lot of docs on the nat scripts and I'm not completely sure how they should be used... so any hints on docs would be very much welcome too.
Hope this helps,
Best regards,
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages xen-utils-common depends on:
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii udev 0.105-4 /dev/ and hotplug management daemo
xen-utils-common recommends no packages.
-- no debconf information
More information about the Pkg-xen-devel
mailing list