How to disable "double" NAT?

A

Alex2015-10-22 18:42:19

Computer networks

Alex, 2015-10-22 18:42:19

Hello. There is an interesting task. There is a small network. As a gateway to the Internet, a Linux computer based on CentOS. Internet access is allowed only for some computers (filtering by IP addresses through iptables. In the DHCP config, addresses are strictly tied to MACs). An advanced user, having a laptop connected via cable, or a computer with a WiFI adapter, can make an open access point by organizing NAT on his computer. It needs to be banned somehow. The following came to mind - TTL blocking. All packets sent directly to the gateway (through an unmanaged switch) have a TTL of 64. When passing through NAT, the TTL is reduced by one, i.e. it is already equal to 63. Therefore, it is possible to cut off all packets with TTL = 63 from the LAN on the gateway through Iptables, what I do (enp2s0 is an interface that "looks" to the locale):

iptables -A INPUT -i enp2s0 -m ttl --ttl-eq 63 -j DROP

I connected a laptop with Linux via cable, distributed Wi-Fi, raised NAT and connected a tablet to this laptop access point. But unfortunately my idea didn't work. On the tablet, sites open (note: they open for a very long time. If you remove the above line from iptables, then the sites open much faster).
Thank you very much for reading to the end. Where am I wrong?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

M

Maksim, 2015-10-22
@chumayu

Those. You think that only you can change the TTL-naive value :)
Perhaps it is worth limiting the number of simultaneous connections from one IP?

A

athacker, 2015-10-23
@athacker

In addition to TTL, nothing changes completely in a packet that has passed through NAT. SRC address, SRC port (maybe), well, checksums. Yes, and with TTL is also a question. In Fra, for example, you can build a kernel with the STEALTH option, and then the TTL will not change in packets passing through NAT.
If sites still open on the tablet, see with tcpdump what kind of packets are going at this time between the laptop and the gateway. Different systems set different TTLs. Windows, for example, put down TTL 64, and frya - 128. It is possible that the tablet is also not 64. This does not explain the brakes, but explains the fact of opening sites.

O

Ogogon, 2015-10-23
@Ogogon

Objectively speaking - technically in any way !
There will always be a boy who rides it.
But, if you have an organization, then this can be prohibited administratively.
Every sane organization has internal rules. There it is necessary to forbid creation of the left connections. Such piece is called "initiative gateway".
When applying for a job, each employee signs the procedure for using the information resources of the enterprise. It's forbidden there.
It remains only to catch violators. This can be done analytically.
If a regular workstation starts a lot of simultaneous outgoing connections, then it means that it either caught a Trojan or blocked the gateway on it.

A

alegzz, 2015-10-25
@alegzz

you are blocking packets destined for the server. for transit packets, the rule must be added to the FORWARD chain