[2556] in linux-net channel archive
Re: "IP Masquerading for applications"
daemon@ATHENA.MIT.EDU (Julio Sanchez)
Wed Apr 17 07:53:00 1996
To: submit-linux-dev-net@ratatosk.yggdrasil.com
From: Julio Sanchez <jsanchez@esegi.es>
Date: 17 Apr 1996 12:59:15 +0200
In-Reply-To: Mike Shaver's message of Sun, 7 Apr 1996 15:43:21 -0400 (EDT)
In article <199604071943.PAA14684@neon.ingenia.com> Mike Shaver <shaver@neon.ingenia.com> writes:
>
> The other big option is to just add a system call getsockdest() or
> some such which tells you where the socket was originally going, and
> have some additional bind()/listen()/accept() semantics to allow a
> user-level process to intercept forwarded connections. I believe this
> is how the Gauntlet stuff worked. Actually, I recall someone
> mentioning that they had patches to allow transparent proxying. I'll
> see if I can dig this up. I suspect that's a more elegant solution.
ftp://ftp.esegi.es/pub/linux/catch
It is TCP only and has a few gotchas (does not know how to bind a fake
address but no one seems to care about this problem anyway). It is for
Linux 1.2.x and will not apply easily to 1.3.x, though they should be
easy to redevelop (it is pretty short).
It was an ugly hack, but I have 98% of a Gauntlet working with it (no
experiment, it is in actual use at ismael.gmv.es and has been since
September). This will be migrated to BSD/OS soon since I am a Gauntlet
reseller and I'd better use the real thing my customers are using. We
were originally using the TIS fwtk when we became resellers and found
easier to port Gauntlet than get BSD/OS, etc. It has served us well
but is going. That means that the patches are extremely unlikely to be
updated.
Gauntlet adds a new system call that works like getsockname. I used
the real getsockname and an interface routine that checks the returned
address against our addresses. Having a specific system call is more
efficient, but is probably unneeded kernel bloat.
The following patch triggers alerts when unserved ports are probed
(the real Gauntlet does this as well). It would be interesting to have
this as option on Linux.
diff -ru linux.orig/net/ipv4/tcp_input.c linux-1.3.88/net/ipv4/tcp_input.c
--- linux.orig/net/ipv4/tcp_input.c Sat Apr 13 11:52:55 1996
+++ linux-1.3.88/net/ipv4/tcp_input.c Mon Apr 15 17:02:08 1996
@@ -25,6 +25,7 @@
#include <linux/config.h>
#include <net/tcp.h>
+#include <linux/inet.h>
/*
* Policy code extracted so its now separate
@@ -1922,6 +1923,16 @@
* No such TCB. If th->rst is 0 send a reset (checked in tcp_send_reset)
*/
tcp_send_reset(daddr, saddr, th, &tcp_prot, opt,dev,skb->ip_hdr->tos,255);
+
+ /* We do this here to avoid triggering alerts on recently
+ * closed sockets. We only do it for connection requests.
+ * It may be interesting to get other packets, but too
+ * many false alarms are generated.
+ */
+ if (sk == NULL && th->syn && !th->ack) {
+ printk(KERN_NOTICE "securityalert: tcp from %s on unserved port %d\n",
+ in_ntoa(saddr), ntohs(th->dest));
+ }
discard_it:
/*
diff -ru linux.orig/net/ipv4/udp.c linux-1.3.88/net/ipv4/udp.c
--- linux.orig/net/ipv4/udp.c Fri Apr 12 08:49:50 1996
+++ linux-1.3.88/net/ipv4/udp.c Mon Apr 15 17:02:39 1996
@@ -702,6 +702,9 @@
udp_statistics.UdpNoPorts++;
if (addr_type == IS_MYADDR)
{
+ printk(KERN_NOTICE
+ "securityalert: udp from %s on unserved port %d\n",
+ in_ntoa(saddr), ntohs(uh->dest));
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0, dev);
}
/*
Julio
