[Pkg-xen-devel] Bug#430676: xen-utils-common: network-nat increates insecure nat POSTROUTING MASQUERADE ?

Olivier Berger olivier.berger at int-edu.eu
Tue Jun 26 14:10:08 UTC 2007 

Package: xen-utils-common
Version: 3.0.3-0-2
Severity: normal

I'm not an expert in networking but I think that the current setup when using network-nat for domains is insecure.

I've configured :
(network-script 'network-nat netdev=eth1')
(vif-script     vif-nat)

So when only domain 0 is started, I get the following :

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
hortense:~# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


AFAICT, this means that NAT is active even though no vif interface was started yet, and is potentially insecure since the default FORWARD rule is accept.
My assumption on the insecure setup is from reading http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html :
	Common mistakes:

	It appears that a common mistake with new IP Masq users is to make the first command simply the following:

	IPTABLES:
	---------
	iptables -t nat -A POSTROUTING -j MASQUERADE

	Do NOT make your default policy MASQUERADING. Otherwise, someone can manipulate their routing tables to tunnel straight back through your gateway, using it to masquerade their OWN identity!


Maybe I'm wrong or there's another interaction, but I think that the masquerade should be started only when the first domU is tarted, and not when xend is started.

Btw, I cannot find a lot of docs on the nat scripts and I'm not completely sure how they should be used... so any hints on docs would be very much welcome too.

Hope this helps,

Best regards,


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xen-utils-common depends on:
ii  lsb-base                      3.1-23.1   Linux Standard Base 3.1 init scrip
ii  udev                          0.105-4    /dev/ and hotplug management daemo

xen-utils-common recommends no packages.

-- no debconf information

More information about the Pkg-xen-devel mailing list