man minewt (Commandes) - Userspace NAT/MAT Gatewayn
NAME
minewt - Userspace NAT/MAT Gatewayn
SYNOPSIS
minewt [options] -i internal_ip -I external_ip -r default_gateway
PACKAGE
Paketto Keiretsu 1.0
DESCRIPTION
Minewt is a minimal "testbed" implementation of a stateful address translation gateway, rendered so entirely in userspace that not even the hardware addresses of the gateway correspond to what the kernel is operating against. Minewt implements what is common referred to as NAT, as well as a Doxpara-developed technique known as MAT. MAT, or MAC Address Translation, allows several backend hosts to share the same IP address, by dropping the static ARP cache and merging Layer 2 information into the NAT state table. Minewt's ability to manipulate MAC addresses also allows it to demonstrate Guerilla Multicast, which allows multiple hosts on the same subnet to receive a unicasted TCP/UDP datastream from the outside world. Minewt is not a firewall, and should not be treated as such.
OPTIONS
Many options in minewt are relevant both to the internal side(where your backend hosts live) and to the external side(where the rest of the Internet can be accessed). Options are therefore differentated by capitalization, i.e. -i and -I for internal or external IP.
MANDATORY ADDRESSES
At minimum, Minewt requires three IP addresses to be specified:
- -i internal_ip
- The Internal IP address, which will be the gateway your internal hosts will set as their default gateway.
- -I external_ip
- The External IP address, which will be the IP address that the external world is prepared to communicate with.
- -r default_gateway
- The Default Gateway, which is the upstream router that will route your packets closer to their destination.
GENERAL OPTIONS
- -d / -D device
- Use this Layer 2 Device for internal / External traffic
- -m / -M MAC
- Force MAC address for internal pseudodevice / External pseudodevice. Minewt will, by default, use 00:AB:BA:5C:AB:BA for internal, and 00:01:56:78:9A:BC for external. This is to demonstrate the ease of which the minewt process can be suspended and restarted without necessarily dropping the flows it was carrying. Several default MAC modes have been configured; see later section for details. -a / -A MAC Force MAC address when *ARPing* a given MAC/IP association. This is usually the same address as specified in -M, but not always.
- -g / -G
- Disable internal / External gratuitous ARP, i.e. announcing the MAC/IP pairing before anyone asks about it.
- -R MAC
- Force MAC address for default gateway.
- -t timeout
- Set timeout period for stateful connections. Defaults to six minutes. Only 1/10th of this value is set waiting for initial connections.
- -v
- Increase verbosity.
- -l incoming_ip
- Designate one IP address on your internal network to receive all incoming packets that do not correspond to a known entry in the state table. This is roughly analogous to Linksys's DMZ mode.
EXPERIMENTS
- -s / -S
- Embed NAT state in IP Timestamps. Instead of storing which host had which connection before the translation destroyed that information, embed it in the extra entropy extractable from the existing IP Timestamp option. Since IP timestamps are reflected back to the party that requested them, traffic that returns to minewt can be examined and routed correctly. This implementation is extremely weak, trivially hackable, and possibly insecure. It's here for demonstration purposes only. -s is a mode 3 timestamp, overloaded with new content. -S is a mode 4 timestamp, which doesn't actually exist -- and therefore behaves much more like we'd like it to.
- -F
- Enable fragment-spread IP Timestamps. This is a total hack -- IP fragments are the bane of any stateful analysis system, and Minewt is no exception. Now, IP options sometimes attach themselves to every fragment -- but IP timestamps isn't one of those options. It could be, though: One bit determines whether an IP Option is copied into every fragment; other bits determine the type. So, we just set the bit and see what happens.
MAC ADDRESS SPECIFICATIONS
- [MAC] = R
- Use a fully random MAC address, with the first byte set to 0 for compatibility: 00:??:??:??:??:??
- [MAC] = B
- Use the broadcast MAC address: (FF:FF:FF:FF:FF:FF)
- [MAC] = M
- Use a prespecified multicast address: (01:00:5E:11:22:33)
- [MAC] = MR
- Use a random multicast address: (01:00:5E:??:??:??)
BUGS
Minewt will eventually fail when two hosts behind the NAT attempt to contact the same outside host -- their local ports will collide, and ugliness will commence. Also, the state table lookups are pretty horrifyingly inefficient. Finally, -l's DMZ mode only works if the target is actively routing through minewt -- we don't double NAT (yet).
AUTHOR
This work has been done by Dan Kaminsky of DoxPara Research, who may be reached at dan@doxpara.com.