[CLUE-Tech] After DSL upgrade - some wierd problems

Paul clue at cyber-addict.com
Sun May 23 15:35:32 MDT 2004 

Admittedly, I do not use DSL so I have not worked with DSL routers 
before.  I assumed they operated like other routers I have worked with, 
like FreeBSD/Linux routers, and Cisco routers (2500, 7206, and 7513). 
So take what I say with a grain of salt. :)

In my past experience, routers do not even need to do a routing table 
lookup on the destination IP address if it is one on an existing 
interface.  The existing interface just receives it.    But as your 
trace-route shows, your router is indeed doing a routing table lookup 
and passing it off to the default route.  Hmm....

By anti-spoofing, I meant they prevent internal IP addresses from being 
used to access your external interface.  In their access list, some 
people allow all their internal traffic to go anywhere (like a "permit 
192.168.0.0/24 to any" statement).  By spoofing their IP address to an 
internal IP, a hacker could then pass through the external interface 
and on to the internal network without being blocked.  Hence, I have 
seen some cable modem routers you buy in stores, and HOWTO's for 
iptables include a rule to block any packets coming into the external 
interface with a source IP address belonging to the internal LAN.  
Depending on the way the routing software is doing the NAT, if you try 
to access the external IP from inside your LAN, it may or may not have 
done the NATing.  Therefore your packets would be coming "in" the 
external interface with a source address of the internal LAN.

But, like I said above, that really depends on the software, how it is 
configured, the access control list, and the routing table.  I have not 
worked with all routers, obviously, so my statements are based on my 
past experiences and not all inclusive.

In messing with my Linux router (Pebble Linux, based off of Debian), I 
notice that it does allow me to SSH to the external IP address.  
However, it does not forward the connection to my internal server like 
it normally does.  Instead, it creates an SSH connection directly with 
the router.  Perhaps that is happening with yours as well, in that the 
router is trying to respond instead of forwarding the request on to 
your internal server.

A trace-route on my part to the external IP address just shows one hop, 
my router.   <shrugs shoulders>

Paul


--------------------------
Hosted by CyberAddict (http://www.cyberaddict.net)



On May 23, 2004, at 11:56 AM, David Anselmi wrote:

> Paul wrote:
>> Actually, that should not depend on your ISP.  It should depend on 
>> the router.  Your machine would resolve the hostname to an external 
>> IP, so it would send it to your router.  The router *should* see that 
>> the IP is on its external interface, and send it to there.  So it 
>> should never go to the ISP's router.
>
> Ok, I agree with you -- except that isn't what happens.  My router 
> doesn't have a route for its external IP so if it made a routing 
> decision it would pick the default gateway (the WAN interface).  Why 
> does it need to make a routing decision?  The dest IP is on the 
> router, the packet should be sent there as you say.
>
> But when I traceroute the first hop is the router's eth0 (inside 
> interface).  The second is a router at Qwest.  The third doesn't 
> answer (odd now that I think about it).  Well, using ICMP rather than 
> UDP does answer but the last hop shows up twice.
>
> So this does depend on my ISP getting traffic from me to me and being 
> willing to turn it around at their router.
>
> If I add a route to the modem that says my external IP is reached on 
> eth0 (rather than wan0) things break.  My hypothesis is that in that 
> case the packets aren't DNAT'd.
>
> There is more going on than I can explain, clearly.
>
>> However, most routers have an "anti-spoofing" rule to prevent IPs 
>> coming from the internal LAN from going to the external interface.  
>> Some do not.
>
> What most routers?  It seems that my Cisco 678 doesn't (I would guess 
> the same for other "SOHO" DSL routers).  Are you saying this is 
> automatic or something they can be configured to do?
>
> What do you mean by anti-spoofing?  You seem to be saying "drop 
> packets with dest IP equal to my external IP unless they come in on my 
> external interface".  Do people really do that?  It seems silly (I 
> can't telnet to my external interface from my internal network).
>
> OTOH, I know people do egress filtering (drop traffic coming in an 
> internal interface if the source IP doesn't match an internal 
> network).  And what I would call anti-spoofing is "drop traffic coming 
> in an external interface if the source IP (not dest) matches an 
> internal network".
>
> I could be mixing things up though so please explain.
>
> Thanks!
> Dave
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options: 
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
>

More information about the clue-tech mailing list