Is NAT Loopback on my router a security problem?

Most consumer grade routers don't have any prohibition against it, it just doesn't work.

Imagine the following scenario. This isn't hypothetical, just run tcpdump on your own computer and you'll see it happen right now. Captured from my Buffalo ddwrt moments ago just to verify.

Players: [Router: 10.0.0.1] [Computer1: 10.0.0.3] [Computer2: 10.0.0.4]
Outside IP: 99.99.99.99, forwarded to Computer2

  • Computer1 to Router [10.0.0.3 -> 99.99.99.99]

  • Router uses DNAT to change the destination to 10.0.0.4 and pushes it back to the local network:
    Router to Computer2 [10.0.0.3 -> 10.0.0.4]

  • Computer2 attempts to respond to the packet by sending to the source IP.
    Computer2 to Computer1 [10.0.0.4 -> 10.0.0.3]

  • Computer1: WTF?
    Computer1 was expecting a reply from 99.99.99.99, got one from 10.0.0.4 instead. Addresses don't match, connection failure, RST packet sent back.

Now, you ask, why doesn't the router SNAT the connection from Computer1 to the router's internal IP when it DNATs it to Computer2? Because the SNAT rule would make a mess of all the rest of the traffic which doesn't follow the pattern above.

SNAT really should only be used in one direction unless you're willing to put a lot of time and care into crafting and maintaining a NAT ruleset that won't bite you.

And to preempt anyone who says how about this: 

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j MASQUERADE

I would point out that this rule would affect not only to NAT-loopback traffic, but also to bridge traffic (e.g. WiFi network to Wired network), which would make a WiFi router frustratingly broken. The rule would have to be tailored to match ONLY the loopback traffic, which is slightly more tricky and probably involves marking packets. Not impossible, but not the sort of engineering and debugging that goes into most routers; and certainly fraught with peril.

Glossary:
SNAT = Source NAT (changing the source IP)
DNAT = Destination NAT (changing the destination IP)
NAT = Network Address Translation


Can't find a technical basis for this NAT loopback security issue claim. =)

The only loopback isssue that I can remember in my early days was hooking both ends of a cat5e's RJ45 to the same switch and messing up the LAN's connectivity. Back then, we call it a loopback. But it's pretty more technical rather than security issue.

Tags:

Routing

Network

Recent Posts