Olivier Berger
2007-Jun-26 14:10 UTC
[Pkg-xen-devel] Bug#430676: xen-utils-common: network-nat increates insecure nat POSTROUTING MASQUERADE ?
Package: xen-utils-common Version: 3.0.3-0-2 Severity: normal I'm not an expert in networking but I think that the current setup when using network-nat for domains is insecure. I've configured : (network-script 'network-nat netdev=eth1') (vif-script vif-nat) So when only domain 0 is started, I get the following : # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination hortense:~# iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination AFAICT, this means that NAT is active even though no vif interface was started yet, and is potentially insecure since the default FORWARD rule is accept. My assumption on the insecure setup is from reading http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html : Common mistakes: It appears that a common mistake with new IP Masq users is to make the first command simply the following: IPTABLES: --------- iptables -t nat -A POSTROUTING -j MASQUERADE Do NOT make your default policy MASQUERADING. Otherwise, someone can manipulate their routing tables to tunnel straight back through your gateway, using it to masquerade their OWN identity! Maybe I'm wrong or there's another interaction, but I think that the masquerade should be started only when the first domU is tarted, and not when xend is started. Btw, I cannot find a lot of docs on the nat scripts and I'm not completely sure how they should be used... so any hints on docs would be very much welcome too. Hope this helps, Best regards, -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages xen-utils-common depends on: ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii udev 0.105-4 /dev/ and hotplug management daemo xen-utils-common recommends no packages. -- no debconf information
Debian Bug Tracking System
2014-Aug-29 13:33 UTC
[Pkg-xen-devel] Bug#430676: marked as done (xen-utils-common: network-nat creates insecure nat POSTROUTING MASQUERADE ?)
Your message dated Fri, 29 Aug 2014 13:31:09 +0000 with message-id <20140829133109.GA4246 at shell.waldi.eu.org> and subject line unsupported configuration has caused the Debian Bug report #430676, regarding xen-utils-common: network-nat creates insecure nat POSTROUTING MASQUERADE ? to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 430676: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430676 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Olivier Berger <olivier.berger at int-edu.eu> Subject: xen-utils-common: network-nat increates insecure nat POSTROUTING MASQUERADE ? Date: Tue, 26 Jun 2007 16:10:08 +0200 Size: 3960 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20140829/af0d5469/attachment.mht> -------------- next part -------------- An embedded message was scrubbed... From: Bastian Blank <waldi at debian.org> Subject: unsupported configuration Date: Fri, 29 Aug 2014 13:31:09 +0000 Size: 1705 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20140829/af0d5469/attachment-0001.mht>