[linux-security] Re: IP Filters and Masq: precisions

[Glynn Clements <glynn sensei co uk>]

Andrew S. Prior wrote:

> > > I know about how masq works, I already have built one network using it.  I
> > > have 15 computers inside my ip+masq firewall, with the fake ip c class
> > > 192.168.x.x, and 5 computers in a normal class C on the outside.  It works
> > > great!  My only concern really is that I want to know if there is any way
> > > for a hacker to directly connect to one of my protected computers from the
> > > outside.
> > 
> > No, but one of the protected computers could connect to the hacker.
> 
>   And one of the protected computers can breach your firewall as well.  If
> somebody runs a port forwarder like ssh they can connect to a remote server
> and ask for certain ports on that server to be re-routed via ssh to the
> protected computer.  The protected computer could then even be used as an
> IP tunnel with a little creativity (I don't think ssh does that).
> 
>   I think with linux, ssh, masquerading, and routing tables I could set up
> a machine inside a firewall that would give me full access to the inside
> of the firewall (anything the linux box could talk to) from my chosen 
> arbitrary remote destination, just like I was there.  Of course, you need
> to get *in* first to set it up and it would be simpler to telnet in (via
> a forwarded port) and run things locally.

Sure. If you have sufficient permission on a host on the inside of the
firewall which has any Internet connectivity whatsoever, then you can
use that connectivity to run an IP tunnel.

The only thing which will prevent that is total disconnection.

-- 
Glynn Clements <glynn sensei co uk>