NAT FTP (was: Iptables and ipsec)

Sandy Harris sandy@storm.ca
Sun, 30 Jul 2000 21:00:24 -0400 

Steve Moro wrote:
> 
> Client  (Windows/Unix)
>   |
>   |
> Internet
>   |
>   |
> Firewall (Linux IPTABLES)
>   |
>   |
> FTP Server (Win2000)
> 
> What I want to have happen is secure FTP so I want the client to create an
> ISPEC tunnel via the internet through the firewall to the ftp server. (Is
> this possible and if YES how do I do that if it is not to much to ask?)
> 
> I hope I have clarified things for you now.. If I am doing something wrong
> or if I am approaching this in a wrong way please let me know.
> 

> > From: Richard Guy Briggs [mailto:rgb@conscoop.ottawa.on.ca]

> > ...  IPSEC and NAT are fundamentally at
> > odds with each other.  It sounds as though you are confusing the term
> > 'DMZ', which is the area *outside* a firewall.  Please draw us your
> > topology.

If, in your diagram, the iptables firewall is doing NAT, then you have a
problem. 

The FreeS/WAN 1.5 documentation on this is online at:
http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/firewall.html

The slightly expanded version in current FreeS/WAN snapshots says:

| Any attempt to perform NAT operations on IPSEC packets between the
| IPSEC gateways creates a basic conflict: 
|
|    IPSEC wants to authenticate packets and ensure they are unaltered
|       on a gateway-to-gateway basis 
|    NAT rewrites packet headers as they go by 
|    IPSEC authentication fails if packets are rewritten anywhere
|       between the IPSEC gateways 
|
| This problem can be avoided by having the IPSEC gateway on the Internet
| side of the machine which handles NAT. This can be done physically
| with two machines, or logically with one machine performing
| both functions. 
|
| In pictures, using SG to indicate FreeS/WAN or other IPSEC Security
| Gateways, these configurations work fine and are commonly used: 
|
|      clients --- NAT ----- SG ---------- SG
|                  two machines
|
|      clients --- NAT/SG -----------------SG
|                  one machine                   
|
| We recommend not trying to build IPSEC connections which pass
| through a NAT machine. This does not work: 
|
|      clients --- SG --- NAT ---------- SG
|
| It is possible to make this work sometimes, but it cannot be done
| entirely reliably. If you must try it, some patches which may help
| are listed in our web references. 
|
| There is an Internet Draft on IPSEC and NAT which may eventually
| evolve into a standard solution for this problem.

An IPSEC tunnel from client to firewall should be easy, but that leaves
your packets unencrypted and sniffable between the FTP server and the
firewall.

You could use two IPSEC tunnels, one from client to firewall and another
from firewall to FTP server. That protects everything on the wires, but
if someone roots your firewall, they can get unencrypted data as it
moves from one tunnel to the other. Getting it doesn't look easy to me,
but it is certainly possible in principle and they might be cleverer
than me.