Re: Firewalling and MASQ

Stephen L. Favor (
Thu, 09 Dec 1999 15:27:02 -0600

Eric Kluft wrote:

> You'll agree with me that it's extremely hard to attack a client behind a
> masqing server. Extra deny policies or programs are really unnecessary.

I completely agree. If you'll read my posting again carefully, you will find
that I am concerned with packets which are associated with the host that is
performing MASQ for the internal network. Right now, I have to leave the
MASQ port interval open so that it will work and there is no way to detect if
an inbound or outbound packet is to/from the router or a MASQed host as they
have the same IP. Thus, I cannot do:

ipchains -A output -j DENY -p tcp -y -s <router ip>

to block connects from the router as it will also block connects from MASQed

My previous post was incorrect in that I wanted to block non-MASQ packets on
the input chain. While I would like to do this, what I really need to do is
DENY (and call the fire dept. :) if a packet that is not associated with a
MASQ session tries to pass the output chain. So, what I really need to do is:

ipchains -A forward -j MASQ ...
ipchains -A output -j ACCEPT -i ppp0 <magic>
ipchains -A output -j DENY -i ppp0 -l

where <magic> matches any packet that was MASQed by the forward chain.

> Eric.
> -----Original Message-----
> From: Stephen L. Favor []
> Sent: Thursday, December 09, 1999 8:34 PM
> To: Glynn Clements
> Cc:;
> Subject: Re: Firewalling and MASQ
> Glynn Clements wrote:
> > Stephen L. Favor wrote:
> >
> > > I would like to configure a box to forward only TCP and
> > > UDP packets associated with a MASQ session and I can't quite
> > > figure out a way to do it. I can open 61000:65096 to the world
> > > and MASQ works fine, but I would prefer only let the ports with
> > > active sessions through the firewall. Can anyone tell me how to
> > > do this?
> >
> > Replies to masqueraded packets pass the forwarding chain
> > automatically, so you can just configure the forwarding chain to
> > reject all inbound packets.
> Interesting but (unless I'm missing something) I need to block these
> with the input filter. At that point, packets bound for the router
> host and packets bound for MASQ-forwared hosts have the same IP. If
> I let them pass so they will deMASQ, I also let potentially malicious
> packets bound for the local host in. These hit the "Routing
> Decision" phase and go right to a local process. What I really need
> is for there to be another FW chain consulted for local packets after
> deMASQ.
> The only way I've figured out to do this is to write a deamon that
> uses the netlink device and a user program to add an entry in the
> FW to allow packets on a per-port basis every time it sees a connect
> request pass the MASQ forward rule and remove the entry whenever the
> disconnect occurs or it no longer appears in /proc/.../*_masq.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to