kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #138805
[Bug 1503695] Re: nft nat not working
** Information type changed from Private Security to Public Security
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1503695
Title:
nft nat not working
Status in linux package in Ubuntu:
New
Status in nftables package in Ubuntu:
New
Bug description:
Hi ,
I have installed an ubuntu 15.10 beta machine and configured nftables
firewalling.
While the regular firewalling works (using the default settings that
come with the package), I found that nat rules are silently ignored.
I've added this to the /etc/nftables.conf and read it:
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
ip daddr 1.2.3.4 tcp dport 80 redirect to 1234
tcp dport 80 redirect to 1235
}
chain postrouting {
type nat hook postrouting priority 0;
}
}
following the example from
http://wiki.nftables.org/wiki-
nftables/index.php/Performing_Network_Address_Translation_%28NAT%29#Redirect
(1.2.3.4 is just a placeholder for the address actually used here, i
do not want to reveal the address to the bug report). nft reads this
without complaining, and
nft list table ip nat
gives exactly that output (except for replacing 80 with "http"), so
the configuration is read correctly.
But it simply does not work. Without having any daemon listening on
ports 1234, 1235 , traffic to port 80 works as usual. As long as there
is not process waiting on 1234/1235, connection should be refused.
Which is dangerous and a security flaw, since this was meant (and used
in a similar way with iptables and Ubuntu 14.04) to avoid revealing
sensitive data over the internet (an application that is not able to
use https should be tunneled). When firewall rules have been loaded
and accepted without any warning, one would expect them to run.
Ive tried to unload all iptables-related kernel packages and to load
packages like nft_nat, nft_redir, nft_redir_ipv4, but the direct
connection to port 80 still works although it shouldn't.
No error warning, no message. It just allows outgoing port 80 although
it shouldn't.
Which is a problem, since this is security-relevant. If it doesn't
work, it should spit out some error message.
(FYI: It was implemented under Ubuntu 14.04 with
iptables -t nat -I OUTPUT -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-port 1234
)
My current guess: On that wiki page's bottem there's a hint that iptables and nft nat cannot be used at the same time. Unfortunately Ubuntu 15.10 still loads plenty of iptables stuff. Although I've tried to remove it all and it's kernel modules, I guess this could be a problem.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: nftables 0.4-7
ProcVersionSignature: Ubuntu 4.2.0-14.16-generic 4.2.2
Uname: Linux 4.2.0-14-generic x86_64
ApportVersion: 2.19-0ubuntu1
Architecture: amd64
CurrentDesktop: XFCE
Date: Wed Oct 7 15:21:36 2015
InstallationDate: Installed on 2015-09-03 (33 days ago)
InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150825)
SourcePackage: nftables
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1503695/+subscriptions