forked from kohler/click
-
Notifications
You must be signed in to change notification settings - Fork 0
/
thomer-nat.click
142 lines (118 loc) · 5.22 KB
/
thomer-nat.click
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
// This Click configuration implements a firewall and NAT, roughly based on the
// mazu-nat.click example.
//
// This example assumes there is one interface that is IP-aliased. In this
// example, eth0 and eth0:0 have IP addresses 66.68.65.90 and 192.168.1.1,
// respectively. There is a local network, 192.168.1.0/24, and an upstream
// gateway, 66.58.65.89. Traffic from the local network is NATed.
//
// Connections can be initiated from the NAT box itself, also.
//
// For bugs, suggestions, and, corrections, please email me.
//
// Author: Thomer M. Gil (click@thomer.com)
AddressInfo(
eth0-in 192.168.1.1 192.168.1.0/24 00:0d:87:9d:1c:e9,
eth0-ex 66.58.65.90 00:0d:87:9d:1c:e9,
gw-addr 66.58.65.89 00:20:6f:14:54:c2
);
elementclass SniffGatewayDevice {
$device |
from :: FromDevice($device)
-> t1 :: Tee
-> output;
input -> q :: Queue(1024)
-> t2 :: PullTee
-> to :: ToDevice($device);
t1[1] -> ToHostSniffers;
t2[1] -> ToHostSniffers($device);
ScheduleInfo(from .1, to 1);
}
device :: SniffGatewayDevice(eth0);
arpq_in :: ARPQuerier(eth0-in) -> device;
ip_to_extern :: GetIPAddress(16)
-> CheckIPHeader
-> EtherEncap(0x800, eth0-ex, gw-addr)
-> device;
ip_to_host :: EtherEncap(0x800, gw-addr, eth0-ex)
-> ToHost;
ip_to_intern :: GetIPAddress(16)
-> CheckIPHeader
-> arpq_in;
arp_class :: Classifier(
12/0806 20/0001, // [0] ARP requests
12/0806 20/0002, // [1] ARP replies to host
12/0800); // [2] IP packets
device -> arp_class;
// ARP crap
arp_class[0] -> ARPResponder(eth0-in, eth0-ex) -> device;
arp_class[1] -> arp_t :: Tee;
arp_t[0] -> ToHost;
arp_t[1] -> [1]arpq_in;
// IP packets
arp_class[2] -> Strip(14)
-> CheckIPHeader
-> ipclass :: IPClassifier(dst host eth0-ex,
dst host eth0-in,
src net eth0-in);
// Define pattern NAT
iprw :: IPRewriterPatterns(NAT eth0-ex 50000-65535 - -);
// Rewriting rules for UDP/TCP packets
// output[0] rewritten to go into the wild
// output[1] rewritten to come back from the wild or no match
rw :: IPRewriter(pattern NAT 0 1,
pass 1);
// Rewriting rules for ICMP packets
irw :: ICMPPingRewriter(eth0-ex, -);
irw[0] -> ip_to_extern;
irw[1] -> icmp_me_or_intern :: IPClassifier(dst host eth0-ex, -);
icmp_me_or_intern[0] -> ip_to_host;
icmp_me_or_intern[1] -> ip_to_intern;
// Rewriting rules for ICMP error packets
ierw :: ICMPRewriter(rw irw);
ierw[0] -> icmp_me_or_intern;
ierw[1] -> icmp_me_or_intern;
// Packets directed at eth0-ex.
// Send it through IPRewriter(pass). If there was a mapping, it will be
// rewritten such that dst is eth0-in:net, otherwise dst will still be for
// eth0-ex.
ipclass[0] -> [1]rw;
// packets that were rewritten, heading into the wild world.
rw[0] -> ip_to_extern;
// packets that come back from the wild or are not part of an established
// connection.
rw[1] -> established_class :: IPClassifier(dst host eth0-ex,
dst net eth0-in);
// not established yet or returning packets for a connection that was
// established from this host itself.
established_class[0] ->
firewall :: IPClassifier(dst tcp port ssh,
dst tcp port smtp,
dst tcp port domain,
dst udp port domain,
icmp type echo-reply,
proto icmp,
port > 4095,
-);
firewall[0] -> ip_to_host; // ssh
firewall[1] -> ip_to_host; // smtp
firewall[2] -> ip_to_host; // domain (t)
firewall[3] -> ip_to_host; // domain (u)
firewall[4] -> [0]irw; // icmp reply
firewall[5] -> [0]ierw; // other icmp
firewall[6] -> ip_to_host; // port > 4095, probably for connection
// originating from host itself
firewall[7] -> Discard; // don't allow incoming for port <= 4095
// established connection
established_class[1] -> ip_to_intern;
// To eth0-in. Only accept from inside network.
ipclass[1] -> IPClassifier(src net eth0-in) -> ip_to_host;
// Packets from eth0-in:net either stay on local network or go to the wild.
// Those that go into the wild need to go through the appropriate rewriting
// element. (Either UDP/TCP rewriter or ICMP rewriter.)
ipclass[2] -> inter_class :: IPClassifier(dst net eth0-in, -);
inter_class[0] -> ip_to_intern;
inter_class[1] -> ip_udp_class :: IPClassifier(tcp or udp,
icmp type echo);
ip_udp_class[0] -> [0]rw;
ip_udp_class[1] -> [0]irw;