Comment by Dagger2

1 month ago

NAT:

    iptables -A POSTROUTING -o wan0 -j MASQUERADE

Firewall:

    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A FORWARD -i lan0 -j ACCEPT
    iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited

If you omit the first line, you get firewalling without NAT. If you omit the second set of lines, you get NAT without firewalling. This should make it pretty clear that they're orthogonal features.

If NAT functioned as an inbound firewall, the second set of lines wouldn't be necessary and removing them wouldn't let you make inbound connections. But you can just test it yourself, and you'll see that NATing your outbound connections doesn't block new inbound ones.

10 comments

Dagger2

Reply
tsimionescu  1 month ago

And if you have only the first line, what will happen if someone sends a request to the NAT's external IP on some random port?

  • benlivengood  1 month ago

    Without at least some filtering a Gateway NAT appliance is vulnerable to:

    * LAN IP address spoofing from the WAN

    * Potential for misconfigured "internal" daemons to accept WAN traffic (listening on 0.0.0.0 instead of the LAN or localhost)

    * Reflection amplification attacks

    • tsimionescu  1 month ago

      LAN IP address spoofing is indeed a valid attack vector, if the ISP is compromised.

      Internal daemons on machines other than the router itself in the LAN network listening on 0.0.0.0 are not insecure (unless you have the problem from point 1, malicious/compromised ISP). The router won't route packets with IPs that are not in its LAN to them. Of course, the router itself could be compromised if it accidentally listens on 0.0.0.0 and accepts malicious packets.

      Not sure what you mean by reflection amplification attacks, but unless they are attacking the router itself, or they are arriving on WAN with LAN IPs (again, compromised/malicious ISP), I don't see how they would reach LAN machines.

      1 reply →

  • Dagger2  1 month ago

    Whichever machine has the NAT's external IP assigned to it will accept or refuse the connection, depending on whether they have a server running on that port or not.

    • tsimionescu  1 month ago

      The machine that has the NAT's external IP to it is, well, the NAT, by definition. So you admit that the NAT box will act almost exactly like a connection tracking firewall, even if only NAT is enabled.

      3 replies →

deng  1 month ago

I can only repeat myself: you are talking about the NAT module in the Linux netfilter. I, and the RFC, are talking about NAT as a concept: what behavior do you expect when you say "this device does NAT". Of course you can still have "pure NAT", but if someone tells you "set up a device that does NAT" and you omit that first line and later explain that this is historically and technically accurate, well, good luck with that.