Firewalls and

Network Address Translation (NAT)

1
 Highlights
 Firewalls:
 To protect against attacks
 Two types
 Proxy firewalls
 Packet-filtering firewalls

 NAT:
 To address diminishing pool of IP addresses
 Popularity of both have surged due to different reasons

2
 Packet-filters
 popular filters involve
 undesired IP addresses or options
 types of ICMP messages
 various UDP or TCP services, based on the port numbers
contained in each packet

3
 Typical Packet-filtering configuration

A typical packet-filtering firewall configuration. The firewall acts as an IP router between an “inside”
and an “outside” network, and sometimes a third “DMZ” or extranet network, allowing only certain
traffic to pass through it. A common configuration allows all traffic to pass from inside to outside but
only a small subset of traffic to pass in the reverse direction. When a DMZ is used, only certain
services are permitted to be accessed from the Internet.
4
 Protocol Operation

The proxy firewall acts as a multihomed Internet host, terminating TCP connections and UDP
associations at the application layer. It does not act as a conventional IP router but rather as an
ALG (Application Layer Gateway). Individual applications or proxies for each service supported
must be enabled for communication to take place through the proxy firewall.
5
 Proxy Firewall
 Quite secure
 Brittle and lack of flexibility
 New apps must have corresponding proxy
 Apps must have mechanisms to discover proxy

6
 Types of Proxy Firewall
 HTTP proxy firewalls

 SOCKs firewalls
 More generic than HTTP proxy
 Version 4: basic support
 Version 5: adds authentication, UDP traversal, and IPv6
addressing
 Application must be socksified: rewritten to use SOCKS
 The client uses the SOCKS protocol to request the proxy to
perform network connections, and optionally, DNS lookups

7
 NAT: network address translation

rest of local network

Internet (e.g., home network)
10.0.0/24 10.0.0.1

10.0.0.4
10.0.0.2
138.76.29.7

10.0.0.3

all datagrams leaving local datagrams with source or

network have same single
source NAT IP address:
138.76.29.7,different source
port numbers
8
destination in this network
have 10.0.0/24 address for
source, destination (as usual)
 NAT: network address translation

Motivation: local network uses just one IP address as far as outside

world is concerned:
 range of addresses not needed from ISP: just one IP address for all
devices
 can change addresses of devices in local network without notifying
outside world
 can change ISP without changing addresses of devices in local
network
 devices inside local net not explicitly addressable, visible by outside
world (a security plus)

9
 NAT: network address translation
implementation: NAT router must:

 outgoing datagrams: replace (source IP address, port #) of every outgoing

datagram to (NAT IP address, new port #)
. . . remote clients/servers will respond using (NAT IP address,
new port #) as destination addr

 remember (in NAT translation table) every (source IP address, port #) to

(NAT IP address, new port #) translation pair

 incoming datagrams: replace (NAT IP address, new port #) in dest fields

of every incoming datagram with corresponding (source IP address,
port #) stored in NAT table

10
 NAT: network address translation
NAT translation table 1: host 10.0.0.1
2: NAT router WAN side addr LAN side addr
changes datagram sends datagram to
source addr from 138.76.29.7, 5001 10.0.0.1, 3345 128.119.40.186, 80
10.0.0.1, 3345 to …… ……
138.76.29.7, 5001,
updates table S: 10.0.0.1, 3345
D: 128.119.40.186, 80
10.0.0.1
1
S: 138.76.29.7, 5001
2 D: 128.119.40.186, 80 10.0.0.4
10.0.0.2
138.76.29.7 S: 128.119.40.186, 80
D: 10.0.0.1, 3345
4
S: 128.119.40.186, 80
D: 138.76.29.7, 5001 3 10.0.0.3
4: NAT router
3: reply arrives changes datagram
dest. address: dest addr from
138.76.29.7, 5001 138.76.29.7, 5001 to 10.0.0.1, 3345

11
 NAT: network address translation
 16-bit port-number field:
 65,000+ simultaneous connections with a single LAN-side
address!

 NAT is controversial:
 routers should only process up to layer 3
 violates end-to-end argument
 NAT possibility must be taken into account by app designers, e.g., P2P
applications
 address shortage should instead be solved by IPv6

12
 NAT traversal problem

 client wants to connect to server

with address 10.0.0.1
10.0.0.1
 server address 10.0.0.1 local to LAN client
(client can’t use it as destination addr) ?
 only one externally visible NATed 10.0.0.4
address: 138.76.29.7
 solution1: statically configure NAT to 138.76.29.7 NAT
router
forward incoming connection
requests at given port to server
 e.g., (123.76.29.7, port 2500) always
forwarded to 10.0.0.1 port 25000

4-13
 NAT traversal problem
 solution 2: Universal Plug and Play
(UPnP) Internet Gateway Device
10.0.0.1
(IGD) Protocol. Allows NATed host
to: IGD
 learn public IP address
(138.76.29.7)
NAT
 add/remove port mappings (with
router
lease times)

i.e., automate static NAT port map

configuration

4-14
 NAT traversal problem

 solution 3: relaying (used in Skype)

 NATed client establishes connection to relay
 external client connects to relay
 relay bridges packets between connections

2. connection to
relay initiated 1. connection to 10.0.0.1
by client relay initiated
by NATed host
3. relaying
client established
138.76.29.7 NAT
router

4-15
 Drawbacks of NAT
 Privately addressed systems are not reachable from outside
 Runs counter to the fundamental tenet of the Internet
Protocols: the “smart edge” and “dumb middle”
 Modifying transport header requires recomputing transport
layer checksum

16
 An Example

A NAT isolates private addresses and the systems using them from the Internet.
Packets with private addresses are not routed by the Internet directly but instead
must be translated as they enter and leave the private network through the NAT
router. Internet hosts see traffic as coming from a public IP address of the NAT.
17
 NAT
 Traditional NAT (just referred to as NAT in the text):
 Basic NAT: rewrite IP address only (not popular)
 NAPT: Network Address Port Translation

18
 Basic NAT and NAPT

A basic IPv4 NAT (left) rewrites IP addresses from a pool of addresses and leaves port
numbers unchanged. NAPT (right), also known as IP masquerading, usually rewrites
address to a single address. NAPT must sometimes rewrite port numbers in order to
avoid collisions. In this case, the second instance of port number 23479 was rewritten to
use port number 3000 so that returning traffic for 192.168.1.2 could be distinguished
from the traffic returning to 192.168.1.35
19
 Security via NAT
 blocks almost all incoming new connection requests
 inhibits “probing” attacks that attempt to ascertain which IP
addresses have active hosts available to exploit
 NAT (especially NAPT) “hides” the number and
configuration of internal addresses from the outside.

20
 NAT and TCP
 Observe the packet flow (RST, SYN, FIN, ACK) etc.
 Use TCP state diagram and run appropriate timers to
estimate if the connection state needs to be maintained or
not
 Need to account for
 Keepalive timers: 2 hours
 Max idle time during setup/teardown: 4 mins

21
 NAT and UDP
 No special packets (SYN, FIN, RST etc.)

 Fragmentation into multiple IP packets

 Port number absent in fragments after the first one

22
 NAT and ICMP
 Error Messages
 Usually contain a copy of the packet which has IP header with
IP addresses (may need to be changed as well)

 Informational messages
 Usually of query/response type
 Query ID can be used like the port number

23
 NAT and tunneled Packets
 Need to rewrite header of tunneled packets

24
 NAT and Multicast
 Outside to Inside
 No modification to dest IP and port

 Inside to Outside
 Modify source IP and port as usual

25
 Address & Port Translation Behavior

26
 Translation and Filtering

Behavior Name Translation Behavior Filtering Behavior

Endpoint-independent X1′:x1′ = X2′:x2′ for all Allows any packets for X:x as
Y2:y2 (required) long as any X1′:x1′ exists
(recommended for greatest
transparency)
Address-dependent X1′:x1′ = X2′:x2′ iffY1 = Y2 Allows packets for X:x from
Y1:y1 as long as X has
previously contacted Y1
(recommended for more
stringent filtering)
Address- and port-dependent X1′:x1′ = X2′:x2′ iff Y1:y1 = Allows packets for X:x from
Y2:y2 Y1:y1 as long as X has
27 previously contacted Y1:y1
 Hairpinning and NAT Loopback

X1 is connecting to
external address of X2

What is the source

address of the packet
sent to X2?

A NAT that implements hairpinning or NAT loopback allows a client to reach a server on the
same side of the NAT using the server’s external IP address and port numbers. That is, X1 can
reach X2:x2 using the addressing information X2′:x2′.

28
 NAT Editors
 What if application layer payload contains IP address and port
numbers?
 FTP

 What if the application payload length changes

 TCP numbers every byte

NAT Editors need to understand a lot of protocols and their

interactions and must have the ability to change the
29
corresponding bits in the packets
 Service Provider NAT (SPNAT),
Carrier-Grade NAT (CGN) or Large Scale NAT (LSN)
 Move NATing to the ISPs

 Functionally similar to NAT

30
 Hole Punching
 A method that allows multiple devices, each behind NAT to
communicate directly using pinholes

 Clients first connect to a server

 Server provides external addresses to the clients so that they

can directly connect

31
 Does Hole Punching Work?

 Suppose A and B both connect with server S1 and exchange their external
IP addresses (192.168.0.254 and 203.0.113.100)
 S1 sends the other clients information to each client
 Can A and B connect directy?
 Yes, if the NATs are endpoint-independent
32  No, if the NATs are address dependent OR address and port dependent
 UNSAF
 Unilateral Self-Address Fixing

 Client/Server based
 Query server to find my external address

 But answer depends on who you ask

 B gets different answers from S1 and S2

 Maintaining consistency between NAT topology and the

server data is difficult

33
 Session Traversal Utilities for NAT
(STUN)
 A standardized mechanism for realizing the UNSAF concept

 A set of methods and a network protocol to allow an end

host to discover its public IP address if it is located behind a
NAT

 STUN Servers have globally reachable IP addresses

 Server echoes back requests sent to it in a way that allows

clients to find their external addresses

34
 TURN (Traversal Using Relays around NAT)
 Used as a last resort if two systems are unable to
communicate directly
 E.g., due to address or port dependent NAT bindings

 Plumbing is done by the TURN server

 The TURN server provides an address that is used by the

clients to communicate

 It is an extension of STUN

35
 TURN (Traversal Using Relays around NAT)

36
 ICE (Interactive Connectivity Establishment)
 Generic technique to help applications behind NAT establish
connectivity
 Uses TURN to obtain candidate transport addresses that each
agent may use
 ICE orders the list of pairs of addresses and sends to peer
agent
 Peer agent performs a similar task
 A set of checks are performed to determine the best pair to
use (all pairs may be checked)

37
 Configuring Packet-Filtering Firewalls
EXTIF="ext0"
INTIF="eth0"
LOOPBACK_INTERFACE="lo"
ALL="0.0.0.0/0" # matches all

# set default filter table policies to drop

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# all local traffic OK

iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -i $LOOPBACK_INTERFACE -j ACCEPT

# accept incoming DHCP requests on internal interface

iptables -A INPUT -i $INTIF -p udp -s 0.0.0.0 \
--sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT

# drop unusual/suspect TCP traffic with no flags set

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
38
 NAT Rules
 NAT is called Internet Connection Sharing (ICS): Windows
 192.168.0.1 is assigned to the machine running ICS
 DHCP and DNS servers are started on that machine
 192.168.0/24 are assigned to other devices
 If DHCP/DNS are running and/or 192.168.0/24 is in use,
default settings need to be changed

 NAT is called IP Masquerading: Linux

39
 NAT Rules: A Linux Example
EXTIF="ext0"
echo "Default FORWARD policy: DROP"
iptables -P FORWARD DROP

echo "Enabling NAT on $EXTIF for hosts 192.168.0.0/24"

iptables -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.0/24 \
-j MASQUERADE

echo "FORWARD policy: DROP unknown traffic"

iptables -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j
DROP

40