Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
11 avril 2014 5 11 /04 /avril /2014 10:37

We'll see here how to use Nftables to implement an Internet Gateway, ie a Nftables Router with IPv4 NAT and IPv4/IPv6 DNS proxy.
This harticles relies on Part 5 : A Nftables Linux Router. See this part for complete explainations on how to forward using Nftables.

Here is the network topology :

 NF5d


1. What we need to build an Nftables Linux Internet Gateway

We want the Linux OS to be firewalled from the exterior ( both Wan and Lan ), allowing only ssh access in, and any access out

We want Lan > Wan traffic to be always allowed, and only reply traffic to be allowed in

We want IPv4 NAT and IPv4 / IPv6 DNS proxy

This post is mostly about Nftables, so DHCP and SLAAC issues will be very quickly treated here.

 

 

 

2. Routing part setup

We first setup static IPs for wan ( eth0 ) and lan ( eth1 ) interfaces.

We enable forwarding :

sudo gedit /etc/sysctl.conf

by uncommenting :

net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1

we reboot to apply changes



3. NAT and DNS proxy setup

We setup IPv4 NAT :

nft add table nat
nft add chain nat post { type nat hook postrouting priority 0 \; }
nft add chain nat pre { type nat hook prerouting priority 0 \; }        *mandatory ??!

( the presence of a prerouting chain seems mandatory for NAT to work )


Note that the selected type for this chain is nat.

nft add rule nat post ip saddr 192.168.1.0/24 oif eth0 snat 192.168.0.254

or

nft add rule nat post ip saddr 192.168.1.10 oif eth0 snat 192.168.0.254

where 192.168.0.254 is Linux OS Router Static IP, 192.168.1.10 is PC1 static IP

 

 

As Nftables defaults to ACCEPT in teh absence of any rules, PC1 should now be able to access the Internet.



We setup IPv4 DNS proxy :


nft add rule nat pre udp dport 53 ip saddr 192.168.1.0/24 dnat 208.67.222.222:53

ex. Any IPv4 DNS request, or using the gateway as DNS server, will be proxied to 208.67.222.222 ( OpenDNS IPv4 )

We setup IPv6 DNS proxy :

nft add table ip6 nat
nft add chain ip6 nat post { type nat hook postrouting priority 0 \; }
nft add chain ip6 nat pre { type nat hook prerouting priority 0 \; }
nft list -n table ip6 nat

nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:1::0/64 dnat 2620:0:ccc::2:53

ex. Any IPv6 DNS request, or using the gateway as a DNS server, will be proxied to 2620:0:ccc::2 ( OpenDNS IPv6 )

PC1 connections should work OK ( including OS updates, Mail client, Web browsing ). There only seems to be a problem in this implementation with IPv6 web browsing using chrome, whereas IPv6 works ok using IE or Firefox. A particular chrome http implementation ?

 

 

5. Internet Gateway FIrewall Evaluation

We proceed the same way as in Part 5 : Nftables Linux Router.

 NF5c


We'll use this firewall testing methodology :

One PC launches a regular NMAP scan to the other PC,
the other PC is using Wireshark to track the packets that managed to pass the Router's firewall. We do the test for IPv4 and IPv6, FW on and off, and switching Lan and Wan sides ( thus a total of 8 tests ).

Everything works as expected :

all nmap packets get out of Lan without problem.
all nmap packets get dropped from Wan to Lan, except if firewall is pulled down.
the NFT list table filter command do show the dropped packets

 

Using the [frame.interface_id==x] Wireshark display filter, do show Linux Router received packets vs emmited packets.

The ICMPv6 requiremnts are respected ( ping6 through firewall ).


6. notes

IPv6 syntax issues :
nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:3::0/64 dnat 2001:4860:4860:0:0:0:0:8888

do work ok

nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:3::0/64 dnat [2001:4860:4860:0:0:0:0:8888]:53

do bring syntax error


Wireshark tap / log :

Wireshark does provide a way to tap the firewall using NFLOG, allowing some fine Firewall monitoring / evaluation. We'll see it in Part 7.


Usefull commands :

ip route add default via 2001:db8:0:2::1                                                                                   ( Linux default gateway )

nft flush table nat

nft delete chain nat postrouting

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE ( iptables masquerading command, for troubleshooting / comparaisons )

Chrome browser :

There seems to be a problem in this implementation with IPv6 web browsing using chrome,
whereas it works ok using IE or Firefox. Particular chrome http implementation ?

Open DNS IPs :


IPv4 :    208.67.222.222
              208.67.220.220

IPv6 :    2620:0:ccc::2
              2620:0:ccd::2


Partager cet article

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens