On Thursday, January 06, 2011 01:30:45 pm Lamar Owen wrote: > That is, given the NAT translation table snippet: > > tcp 10.10.10.10:52650 192.168.1.118:52650 74.125.67.99:80 74.125.67.99:80 > tcp 10.10.10.10:1769 192.168.1.166:1769 74.125.67.99:80 74.125.67.99:80 > > And assuming no other translations are in the table, 74.125.67.99 could scan 10.10.10.10 all it wants; only packets to ports 52650 and 1769 will get statelessly translated (bidirectionally; the return packets also get translated for a tcp translation) to the respective addresses on the inside, and only to those ports; all other packets to that 10.10.10.10 address will be left untranslated and routed to the interface with 10.10.10.10 on its subnet. More to the point, using ssh to get to a machine outside my network: lowen@localhost:~$ ssh root@xxxxxxxxxxxxxxxxxxxxx Last login: Wed Jan 5 13:46:24 2011 from 10.10.10.10 [root@outside ~]# nmap 10.10.10.10 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2011-01-06 13:42 EST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap run completed -- 1 IP address (0 hosts up) scanned in 1.069 seconds [root@outside ~]# nmap -P0 -p 0- 10.10.10.10 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2011-01-06 13:42 EST All 65536 scanned ports on dyn.somewhere-else.net (10.10.10.10) are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 1376.328 seconds [root@outside ~]# The nat translation table entry on the NAT box at the time: tcp 10.10.10.10:46354 192.168.1.118:46354 10.20.20.20:22 10.20.20.20:22 Where 10.10.10.10 is the particular IP in the global NAT pool, 192.168.1.118 is my laptop on the inside of the NAT, and 10.20.20.20 is the outside box. Addresses and names of course have been changed, but consistently changed (that is, in the login banner from outside.somewhere.com showing last login from 10.10.10.10, and every other 10.10.10.10 is the same real-world address; that is, even though I had an ssh session open, and the translation from 192.168.1.118:46354 to 10.10.10.10:46354 to 10.20.20.20:22 was forwarding packets both directions, other packets from 10.20.20.20 on other source ports did not get translated at all, but (in this case) got blackholed by the routing to a Null device in the Cisco 7206 doing the NAT. In the interests of full disclosure, there is a second Cisco router (a 12008) with the only ACL's in front of the NAT box; for the duration of this test the following ACL was added to take the firewall out of the loop, and then removed after the nmap run was complete: access-list 150 permit ip any host 10.10.10.10 -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
