Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Masking NAT router [ how to make it stealth ]

Masking NAT router [ how to make it stealth ] 11 years 10 months ago #7204

  • kudlaty
  • kudlaty's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
Hi all

I'm going to split my connection among two or three computers and using one more as a router. As far as I know, one can detect NAT by sniffing traffic and anylasing TTL value and ID number of IP packets (used also for fingerprinting OS's I think). The questions are: how to make that router/NAT device stealth for the outside world. Did anyone tried it already? Are there any other ways to detect such a device like NAT(what about ports it use)?

I think I'm going to use Linux or FreeBSD for masquerading. I prefer Linux but I also consider the latter one because I heard that In Free You can compile option "do not act as a router" which don't affect TTL during routing packets.

Thanks for any Ideas and Opinions.
The administrator has disabled public write access.

Re: Masking NAT router [ how to make it stealth ] 11 years 10 months ago #7207

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
hmm you can actually rewrite the TTL on the packets that pass through the NAT infrastructure of Linux as well, normally by "--ttl-set" directive in your iptables rules.

The only configuration option relative to "act as a router" that I know on FreeBSD is the gateway option which is compiled in by default and can be activated/deactivated from sysctl net.inet.ip.forwarding. Still, without it NAT will not work.

I woudn't worry too much for hiding the router's existense, but then again one can never be too paranoid about security :)
The administrator has disabled public write access.

Re: Masking NAT router [ how to make it stealth ] 11 years 10 months ago #7219

  • kudlaty
  • kudlaty's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
Hmmm

That's even better. Because I can install Smoothwall as I have planned in the very beginning, and then play a little with firewall rules. Thanks for the tip Nske.

I'm also concerned that this was the easiest part to solve, and still have no idea about IPIDs. If Nat has a table in which it keeps track of all conections and changes on-the-fly IP address field in every packet, couldn't it do the same to change other fields? This would need more processing power from the machine, but that's not a problem nowadays right?

I think it would also bypass few RFC rules, but Microsoft doesn't comply with some as well. :)
The administrator has disabled public write access.

Re: Masking NAT router [ how to make it stealth ] 11 years 10 months ago #7222

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
yes processing power is not really an issue for routing in such a small network, especially if you use stateful inspection (since in that case not every packet will be compared against your full ruleset, but only the first for each connection -ideally). I route the traffic to the internet for about 70pcs through an old P1 200MMX and it's not even breaking a sweat ;)
The administrator has disabled public write access.
Time to create page: 0.074 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup