Openwrt NAT ALG
Openwrt NAT ALG
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat
sipp ( SIP test tool )
https://github.com/SIPp/sipp
https://sipp.readthedocs.io/en/latest/
https://tomeko.net/other/SIPp-MinGW/index.php
NAT ALG ( FTP SIP PPTP )
https://forum.openwrt.org/t/sip-alg-on-openwrt/88062
install kerner mod
root@OpenWrt:~# opkg install kmod-nf-nathelper-extra
enable configuration
root@OpenWrt:~# cat /etc/sysctl.d/11-nf-conntrack.conf
net.netfilter.nf_conntrack_helper=1View dynamic connection sessions
root@OpenWrt:~# cat /proc/net/nf_conntrack
NAT Slipstream attack
https://www.armis.com/research/nat-slipstreaming-v20/
Are slipstream attacks possible through an OpenWRT router with the default configuration? It seems the NAT slipstream attack was announced the day before yesterday. In short, it is described as an attack on web browsers behind Application-level Gateway (ALG) capable routers. I do not fully understand whether that applies to OpenWRT or not. What I did learn and understand is that according to Wikipedia, ALG is in netfilter on Linux. Unfortunately I could not detuct the answer to my question fro…
With the package kmod-nf-nathelper-extra which I use for proto_gre (and also unfortunately loads sip helper modules) the router is vulnerable as tested on this site: http://samy.pl/slipstream/server So at the moment, the best course of action is to NOT use any NAT helper modules.
As described above, the new variant to the NAT Slipstreaming attack is comprised of two primitives, the first explores the H.323 ALG, and the second expands the attack surface of the various NAT ALGs reachable from a browser, by abusing the WebRTC TURN server API via Javascript. However, the actual risk imposed by this attack depends on the interaction between the second-stage traffic generated via different browser primites, and the specific implementation of targeted NAT. Not all NATs support all ALGs, or enable them by default, and actual implementations of NAT ALGs differ greatly, and can limit potential attack in different ways.
We performed several tests, to establish the effects of abusing the above techniques against the implementation of various ALGs from various router/firewall vendors. Many of the commercial or open source router/firewall offerings allow an evaluation of their product in the shape of a VM, that runs the exact same software as the real product. We conducted most of our testing on such VMs.
It should be noted that on Linux, from kernel version 4.14 upwards, “default automatic helper assignment has been turned off for security reasons” (helper meaning ALG in this context). This disables the exact behaviour that we are exploiting. This is very good, however, many consumer grade routers run older kernels, and some of the more updated Linux based products re-enable this disabled feature using the “/proc/sys/net/netfilter/nf_conntrack_helper” flag, as it is still useful for many users.
OpenWRT, a Linux based router distribution, with kernel 4.14+
Current versions are not affected. The netfilter conntrack ALG modules are not shipped.
Even if the package is installed, the “automatic assignment” is still disabled.
Siproxd configuration
https://openwrt.org/docs/guide-user/services/voip/siproxd
Siproxd is a proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections work via an masquerading firewall (NAT). It allows SIP software clients (like kphone, linphone) or SIP hardware clients (Voice over IP phones which are SIP-compatible) to work behind an IP masquerading firewall or NAT router.
In /etc/config/siproxd you can configure Siproxd. You can add to the default configuration to setup the plugins that you'd like to use. For example to load and configure the regex plugin something along the following lines would be appropriate:
# Load regex plugin and define some replacement rules to ensure that # local and domestic numbers without area/country code are dialled # properly: list load_plugin 'plugin_regex.so' # International calls, prefix 00 converted to +: # 00 385 1 123456 -> +385 1 123456 list plugin_regex_desc = 'Intl' list plugin_regex_pattern = '^(sips?:)00' list plugin_regex_replace = '\1+' # Domestic calls to a different area code, drop the 0 and prefix with # country code added: # 01 123456 -> +385 1 123456 list plugin_regex_desc = 'Domestic' list plugin_regex_pattern = '^(sips?:)0' list plugin_regex_replace = '\1+385' # Local calls without an area code - prefix with country code + local # area code: # 123456 -> +385 1 123456 list plugin_regex_desc = 'Local' list plugin_regex_pattern = '^(sips?:)' list plugin_regex_replace = '\1+3851'
============= End
