Setting of the Combination of the Packet Filtering Function and NAT Operations

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section describes packet filtering settings which are to be made when NAT is in use.
When NAT is in use, header information of packets are rewritten. Therefore, for “forwarding packets” which pass through an NAT-applied interface, logs are left in a session table.
When “returning packets” pass through the interface, judgment is made about whether the communication corresponds to one in the session table and then another judgment is made about whether to forward packets or subject them to interface processing.
Because of these, even when normal packet filtering rules have been applied, “returning packets” are judged as corresponding packets and forwarded after reference to the session table. Therefore, resultant operations are similar to a case where the stateful function has been enabled.
.

Packet Filtering Function When NAT Is in Use

This section describes packet filtering operations when NAT is in use.

Presumed case for sample setting

Setting an NAT environment
  • To NAT-convert a destination IP address at interface “dp0s5”

  • To make NAPT settings at interface “dp0s6”

Setting the stateful firewall function
  • To accept FTP communications on a terminal under interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To reject communications which are input to interface “dp0s6”

Configuration diagram
fiter+natuse1

Setting flow in a presumed case

Setting an NAT environment
1.Making an NAT setting as “192.168.3.3” for communications which are input to interface “dp0s5” and forwarded to “192.168.2.50”
2.Making an NAPT setting for communications which are output from interface “dp0s6” and originated from “192.168.2.0/24”

Setting stateful firewall
1.Packet filtering setting name test_rule
2.Accepting packets whose destination has an IP address “192.168.2.50” and TCP port number 21
3.Setting rule 10 by which packets whose destination has an IP address “192.168.2.50” and TCP port number 21 are accepted
4.Setting for rejecting packets whose destinations are other than one having an IP address “192.168.2.50” and port number 21
5.Applying in the input direction at interface “dp0s5”
7.Name of a setting for rejecting all communications all_drop
8.Applying in the input direction at interface “dp0s6”

Command to be entered with CLI

set service nat destination rule 10 destination address '192.168.2.50'
set service nat destination rule 10 inbound-interface 'dp0s5'
set service nat destination rule 10 translation address '192.168.3.3'
set service nat source rule 10 outbound-interface 'dp0s6'
set service nat source rule 10 source address '192.168.2.0/24'
set service nat source rule 10 translation address 'masquerade'
set security firewall name all_drop default-action 'drop'
set security firewall name all_drop rule 10 action 'drop'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.2.50'
set security firewall name test_rule rule 10 destination port '21'
set security firewall name test_rule rule 10 protocol 'tcp'
set interface dataplane dp0s5 firewall in 'test_rule'
set interface dataplane dp0s6 firewall in 'all_drop'
The configuration after completion of appropriate settings is as follows.
 interfaces {
        dataplane dp0s4 {
                address 192.168.1.50/24
        }
        dataplane dp0s5 {
                address 192.168.2.50/24
                firewall {
                        in test_rule
                }
        }
        dataplane dp0s6 {
                address 192.168.3.5/24
                firewall {
                        in all_drop
                }
        }
 }
 security {
        firewall {
                name all_drop {
                        default-action drop
                        rule 10 {
                                action drop
                        }
                }
                name test_rule {
                        default-action drop
                        rule 10 {
                                action accept
                                destination {
                                        address 192.168.2.50
                                        port 21
                                }
                                protocol tcp
                        }
                }
        }
 }
 service {
        nat {
                destination {
                        rule 10 {
                                destination {
                                        address 192.168.2.50
                                }
                                inbound-interface dp0s5
                                translation {
                                        address 192.168.3.3
                                }
                        }
                }
                source {
                        rule 10 {
                                outbound-interface dp0s6
                                source {
                                        address 192.168.2.0/24
                                }
                                translation {
                                        address masquerade
                                }
                        }
                }
        }
}

Operation check result

The verification result log below allows to recognize the following: communications (Ping) forwarded from server “192.168.2.6” in the configuration diagram to “192.168.2.50” failed due to the packet filtering rule; however, FTP communications forwarded to port number 21 (Ping) succeeded (success of packet transfer) through reference to the session table in an NAT environment, under settings that forwarding FTP communications to port number 21 are accepted and all packets are rejected at interface “dp0s6” at the return side.
.
.
#Ping to 192.168.2.50 -> NG

test@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms

test@ubu01:~$ ping 192.168.2.50
PING 192.168.2.50 (192.168.2.50) 56(84) bytes of data.
^C
--- 192.168.2.50 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5040ms


#FTP to 192.168.2.50 -> OK

test@ubu01:~$ ftp 192.168.2.50
Connected to 192.168.2.50.
220 (vsFTPd 3.0.3)
Name (192.168.2.50:test): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 1000     1000         4096 Sep 10  2015 aaa
-rw-r--r--    1 1000     1000         8980 Aug 31  2015 examples.desktop
-rw-rw-r--    1 1000     1000          612 Dec 02  2015 index.html
-rw-rw-r--    1 1000     1000        31272 Jun 13 10:48 ping.txt
drwxrwxr-x    2 1000     1000         4096 May 30 01:46 tmp
drwxr-x--x    8 1000     1000         4096 Jul 26 06:29 vsftpd-3.0.3
226 Directory send OK.
ftp>
ftp> get index.html
local: index.html remote: index.html
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for index.html (612 bytes).
226 Transfer complete.
612 bytes received in 0.00 secs (4.9046 MB/s)
ftp>
ftp> passive
Passive mode on.
ftp>
ftp> get index.html
local: index.html remote: index.html
227 Entering Passive Mode (192,168,2,50,19,213).
150 Opening BINARY mode data connection for index.html (612 bytes).
226 Transfer complete.
612 bytes received in 0.00 secs (7.0319 MB/s)
ftp>

Global Setting of the Stateful Function When NAT Is in Use

This section describes operations resulted in the case where the stateful function has been enabled for all packet filtering rules when NAT is in use.

Presumed case for sample setting

Setting an NAT environment
  • To NAT-convert a destination IP address at interface “dp0s5”

  • To make NAPT settings at interface “dp0s6”

Setting the stateful firewall function
  • To accept FTP communications on a terminal under interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To reject communications which are input to interface “dp0s6”

  • To enable the stateful function for all packet filtering rules

Configuration diagram
Fi2

Setting flow in a presumed case

Setting an NAT environment
1.Making an NAT setting as “192.168.3.3” for communications which are input to interface “dp0s5” and forwarded to “192.168.2.50”
2.Making an NAPT setting for communications which are output from interface “dp0s6” and originated from “192.168.2.0/24”

Setting the stateful function
1.Enabling the stateful function for all filtering rules in terms of TCP communications
2.Packet filtering setting name test_rule
3.Setting rule 10 by which packets whose destination has an IP address “192.168.2.50” and TCP port number 21 are accepted
4.Setting for rejecting packets whose destinations are other than one having an IP address “192.168.2.50” and port number 21
5.Applying in the input direction at interface “dp0s5”
7.Name of a setting for rejecting all communications all_drop
8.Applying in the input direction at interface “dp0s6”

Command to be entered with CLI

set service nat destination rule 10 destination address '192.168.2.50'
set service nat destination rule 10 inbound-interface 'dp0s5'
set service nat destination rule 10 translation address '192.168.3.3'
set service nat source rule 10 outbound-interface 'dp0s6'
set service nat source rule 10 source address '192.168.2.0/24'
set service nat source rule 10 translation address 'masquerade'
set security firewall global-state-policy 'tcp'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.2.50'
set security firewall name test_rule rule 10 destination port '21'
set security firewall name test_rule rule 10 protocol 'tcp'
set security firewall name all_drop default-action 'drop'
set interfaces dataplane dp0s5 firewall in 'test_rule'
set interfaces dataplane dp0s6 firewall in 'all_drop'
The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in all_drop
               }
       }
}
security {
       firewall {
               global-state-policy {
                       tcp
               }
               name all_drop {
                       default-action drop
               }
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       address 192.168.2.50
                                       port 21
                               }
                               protocol tcp
                       }
               }
       }
}
service {
       nat {
               destination {
                       rule 10 {
                               destination {
                                       address 192.168.2.50
                               }
                               inbound-interface dp0s5
                               translation {
                                       address 192.168.3.3
                               }
                       }
               }
               source {
                       rule 10 {
                               outbound-interface dp0s6
                               source {
                                       address 192.168.2.0/24
                               }
                               translation {
                                       address masquerade
                               }
                       }
               }
       }

Operation check result

The verification result log below allows to recognize the following: communications (Ping) forwarded from server “192.168.2.6” in the configuration diagram to “192.168.2.50” failed due to the packet filtering rule; however, FTP communications forwarded to port number 21 (Ping) succeeded (success of packet transfer) through reference to the session table in an NAT environment, under settings that forwarding FTP communications to port number 21 are accepted and all packets are rejected at interface “dp0s6” at the return side.
.
.
#Ping to 192.168.2.50 -> NG

test@ubu01:~$ ping 192.168.2.50
PING 192.168.2.50 (192.168.2.50) 56(84) bytes of data.
^C
--- 192.168.2.50 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

test@ubu01:~$
test@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms


#FTP to 192.168.2.50 -> OK

test@ubu01:~$ ftp 192.168.2.50
Connected to 192.168.2.50.
220 (vsFTPd 3.0.3)
Name (192.168.2.50:test): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 1000     1000         4096 Sep 10  2015 aaa
-rw-r--r--    1 1000     1000         8980 Aug 31  2015 examples.desktop
-rw-rw-r--    1 1000     1000          612 Dec 02  2015 index.html
-rw-rw-r--    1 1000     1000        31272 Jun 13 10:48 ping.txt
drwxrwxr-x    2 1000     1000         4096 May 30 01:46 tmp
drwxr-x--x    8 1000     1000         4096 Jul 26 06:29 vsftpd-3.0.3
226 Directory send OK.
ftp>
ftp> get index.html
local: index.html remote: index.html
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for index.html (612 bytes).
226 Transfer complete.
612 bytes received in 0.00 secs (5.2111 MB/s)
ftp>
ftp> passive
Passive mode on.
ftp>
ftp> get index.html
local: index.html remote: index.html
227 Entering Passive Mode (192,168,2,50,108,210).
150 Opening BINARY mode data connection for index.html (612 bytes).
226 Transfer complete.
612 bytes received in 0.00 secs (7.0319 MB/s)
ftp>

Discrete Settings of the Stateful Function When NAT Is in Use

This section describes operations resulted in the case where the stateful function has been discretely enabled for each packet filtering rule when NAT is in use.
At the interface
It shows a setting example for discretely enabling the stateful function, for each packet filtering rule.
.
It also shows a setting example for the case where the NAT function is in use for the firewall.

Presumed case for sample setting

Setting an NAT environment
  • To NAT-convert a destination IP address at interface “dp0s5”

  • To make NAPT settings at interface “dp0s6”

Setting the stateful firewall function
  • To accept FTP communications on a terminal under interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To reject communications which are input to interface “dp0s6”

  • To enable the stateful function, only for needed packet filtering rules

Configuration diagram
Filter+NAT1

Setting flow in a presumed case

Setting an NAT environment
1.Making an NAT setting as “192.168.3.3” for communications which are input to interface “dp0s5” and forwarded to “192.168.2.50”
2.Making an NAPT setting for communications which are output from interface “dp0s6” and originated from “192.168.2.0/24”

Setting the stateful function
1.Packet filtering setting name test_rule
2.Setting a rule by which packets whose destination has an IP address “192.168.2.50” and TCP port number 21 are accepted as 10
3.Enabling the stateful function discretely for rule 10
4.Setting for rejecting packets whose destinations are other than one having an IP address “192.168.2.50” and port number 21
5.Applying in the input direction at interface “dp0s5”
7.Name of a setting for rejecting all communications all_drop
8.Applying in the input direction at interface “dp0s6”

Command to be entered with CLI

set service nat destination rule 10 destination address '192.168.2.50'
set service nat destination rule 10 inbound-interface 'dp0s5'
set service nat destination rule 10 translation address '192.168.3.3'
set service nat source rule 10 outbound-interface 'dp0s6'
set service nat source rule 10 source address '192.168.2.0/24'
set service nat source rule 10 translation address 'masquerade'

set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.2.50'
set security firewall name test_rule rule 10 destination port '21'
set security firewall name test_rule rule 10 protocol 'tcp'
set interfaces dataplane dp0s5 firewall in 'test_rule'

set security firewall name all_drop default-action 'drop'
set interfaces dataplane dp0s6 firewall in 'all_drop'
The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in all_drop
               }
       }
}
security {
       firewall {
               name all_drop {
                       default-action drop
               }
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       address 192.168.2.50
                                       port 21
                               }
                               protocol tcp
                               state enable
                       }
               }
       }
}
service {
       nat {
               destination {
                       rule 10 {
                               destination {
                                       address 192.168.2.50
                               }
                               inbound-interface dp0s5
                               translation {
                                       address 192.168.3.3
                               }
                       }
               }
               source {
                       rule 10 {
                               outbound-interface dp0s6
                               source {
                                       address 192.168.2.0/24
                               }
                               translation {
                                       address masquerade
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize the following: communications (Ping) forwarded from server “192.168.2.6” in the configuration diagram to “192.168.2.50” failed due to the packet filtering rule; however, FTP communications forwarded to port number 21 (Ping) succeeded (success of packet transfer) through reference to the session table in an NAT environment, under settings that forwarding FTP communications to port number 21 are accepted and all packets are rejected at interface “dp0s6” at the return side.
.
.
#PING to 192.168.3.3 -> NG

test@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms

test@ubu01:~$
test@ubu01:~$ ping 192.168.2.50
PING 192.168.2.50 (192.168.2.50) 56(84) bytes of data.
^C
--- 192.168.2.50 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

#FTP to 192.168.3.3 -> OK

test@ubu01:~$ ftp 192.168.2.50
Connected to 192.168.2.50.
220 (vsFTPd 3.0.3)
Name (192.168.2.50:test): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
ftp>
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 1000     1000         4096 Sep 10  2015 aaa
-rw-r--r--    1 1000     1000         8980 Aug 31  2015 examples.desktop
-rw-rw-r--    1 1000     1000          612 Dec 02  2015 index.html
-rw-rw-r--    1 1000     1000        31272 Jun 13 10:48 ping.txt
drwxrwxr-x    2 1000     1000         4096 May 30 01:46 tmp
drwxr-x--x    8 1000     1000         4096 Jul 26 06:29 vsftpd-3.0.3
226 Directory send OK.
ftp>
ftp> get index.html
local: index.html remote: index.html
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for index.html (612 bytes).
226 Transfer complete.
612 bytes received in 0.00 secs (5.6120 MB/s)
ftp>
ftp> passive
Passive mode on.
ftp>
ftp> get index.html
local: index.html remote: index.html
227 Entering Passive Mode (192,168,2,50,219,64).
150 Opening BINARY mode data connection for index.html (612 bytes).
226 Transfer complete.
612 bytes received in 0.00 secs (7.2055 MB/s)
ftp>