Doing NAT after divert-packet rule

Fri, 18 Dec 2015 02:18:38 -0800 

Hi all,
This post is related to this one: http://marc.info/?l=openbsd-misc&m=145017155902016&w=2. After doing a lot of tests, I have arrived to a satisfactory situation. 


 At this moment, my divert-packet rules works (for all protocols 
without modifying state options) to redirect traffic to an IDS (I am 
doing these tests using Snort and Suricata).



 BUt, I have a problem with NAT rules. If I am not wrong, a NAT rule 
acts before a packet is diverted to specified socket.



 I have done some tests using example program from divert(4) man page. 
Here is the result:



root@dundee:/nsm/2015-12-18# test_divert 





10.5.10.177:54967 -> 216.58.208.228:80
216.58.208.228:80 -> 172.22.55.4:58816
10.5.10.177:54967 -> 216.58.208.228:80
10.5.10.177:54967 -> 216.58.208.228:80
216.58.208.228:80 -> 172.22.55.4:58816
216.58.208.228:80 -> 172.22.55.4:58816
216.58.208.228:80 -> 172.22.55.4:58816
10.5.10.177:54967 -> 216.58.208.228:80
10.5.10.177:54967 -> 216.58.208.228:80
216.58.208.228:80 -> 172.22.55.4:58816
10.5.10.177:54967 -> 216.58.208.228:80
216.58.208.228:80 -> 172.22.55.4:58816


 As you can see here, there are two private IP's: 10.5.10.177 and 
172.22.55.4.



 IP 10.5.10.177 is the external IP address for openbsd fw. 172.22.55.4 
is an internal vm doing telnet to www.google.com port 80 (IP 
216.58.208.228).


 My relevant pf rules are:

set block-policy drop
set state-policy if-bound

# Scrubbing rules
match in            all scrub (no-df)
match out on egress all scrub (random-id)
match     on egress all scrub (reassemble tcp)

block all

pass in inet proto tcp from 172.22.55.4 to !<internal_networks> tag 
intlans-to-inet
pass out quick on egress inet proto { tcp icmp udp } from 172.22.55.4 
divert-packet port 8000 nat-to (vio1:0)



 Stopping divert program example, and starting up a Suricata instance 
(or Snort, results are the same), they only sees the natted address: 
10.5.10.177. An example triggered alert:



12/18/2015-09:23:51.436216  [Drop] [**] [1:2:1] Reject web access to 
Google [**] [Classification: Misc Attack] [Priority: 2] {TCP} 
10.5.10.177:56172 -> 216.58.208.228:80



 My question is: is it possible to NAT an ip after divert-packet rule 
acts??


 Thanks.























					Reply via email to