# Can my isp block my own internet sharing with NAT ??

## Mroofka

Hi

I have a box with ip from my isp and I want to make NAT to allow my secund computer access to internet. It should be easy to do with iptables. However I've recently heard that ther is some way to deny computers from my home network (ower my NAT) to use internet connection of my ISP.  This mean that settings like this (on isp server) will allow connection only from my box but nothing witch cames from my home network. 

I wonder if realy is any way to block users of making their own NAT at home and how it's exactly made?

Ofcourse if its possible i would like to know how to cheat my isp and do some internet sharing in my home  :Smile: ?

ISP server--->my box -- my NAT--> other computer at my home 

Pozdrawiam

----------

## blu3bird

Your isp can not.

Some isp's deny using nat in there eula but there is no way for them to detect wheater you are running nat or not.

----------

## think4urs11

 *blu3bird wrote:*   

> Your isp can not ... there is no way for them to detect wheater you are running nat or not.

 

Plain wrong. NAT detection is very well possible from outside by analyzing the traffic - TTL, IP-ID, timestamps and other options in the ip headers.

OpenBSD has made some effort with their pf firewall to prevent this kind of detection though.

----------

## Mroofka

Any other opinions will be nice.

Think4UrS11 thanks for answer. Could you just give me more specific information about this. What should I look for on internet any kywords or maby  links to www. 

Pozdrawiam

----------

## think4urs11

sure   :Wink: 

http://www.google.com/search?hl=de&q=detect+nat&btnG=Google-Suche&meta=

http://www.research.att.com/~smb/papers/fnat.pdf

http://lcamtuf.coredump.cx/p0f.shtml

----------

## Mroofka

 :Embarassed:  ok... that was painfull and embarassing -- detect + nat  :Wink: 

next time I'll think harder while searching at google  :Razz: 

Pozdrawiam

----------

## nielchiano

 *Think4UrS11 wrote:*   

> NAT detection is very well possible from outside by analyzing the traffic - TTL, IP-ID, timestamps and other options in the ip headers.
> 
> 

 

No it's NOT!

The things you mention CAN be caused by NAT, but don't have to be. all my servers have random IPID's. Also: their TTL's are set to a "non-standard" number (i.e. not 255,128,64; but more like 87)

As for time-stamps: if you keep all machines NTP-synchronized, this will be undetectable.

But I do agree that for most "regular" users, simple IPID analysis will reveal them.

----------

## think4urs11

 *nielchiano wrote:*   

> The things you mention CAN be caused by NAT, but don't have to be. all my servers have random IPID's.

 

As long as ALL your servers behind your NAT router have TRUELY RANDOM (no pseudo randomization which most OS use) ip-id OR your NAT-GW scrambles the ALL id's by itself i do agree. Otherwise it would still be possible to find some patterns which can tell the observer about how many machines are natted there. (What e.g. about a windows machine behind your NAT router? How dow you change ip-id handling there?)

see http://www.cs.columbia.edu/~smb/papers/fnat.pdf (old but still valid)

Only some commercial NAT routers do rewrite the IP-ID at all.

Next possible way to detect NAT:

Some hosts never use Path MTU Discovery; some use it only for TCP. A NAT that treated DF packets differently than non-DF packets for the same protocol would thus leak the fact that at least two different policies exist behind it.Therefore, to preserve privacy the NAT should do the same thing send a unique IPid field on all packets.

At the end of the day it is non trivial to handle ALL possible ways to detect a NAT device.

Plus of course the possibilties other protocols give (e.g. checking your ISP bill online on their website - did you block all possible ways on your proxy/gateway to ask the web browser from server side about its own ip address? Javascript/ActiveX, Java, ...)

BTW: yes i'm paranoid   :Rolling Eyes: 

----------

## Mroofka

 *Quote:*   

>  What e.g. about a windows machine behind your NAT router? How dow you change ip-id handling there? 

 

I'm curious too !! ??

Pozdrawiam

----------

## nielchiano

 *Think4UrS11 wrote:*   

>  *nielchiano wrote:*   The things you mention CAN be caused by NAT, but don't have to be. all my servers have random IPID's. 
> 
> As long as ALL your servers behind your NAT router have TRUELY RANDOM (no pseudo randomization which most OS use) ip-id OR your NAT-GW scrambles the ALL id's by itself i do agree. Otherwise it would still be possible to find some patterns which can tell the observer about how many machines are natted there. (What e.g. about a windows machine behind your NAT router? How dow you change ip-id handling there?)
> 
> see http://www.cs.columbia.edu/~smb/papers/fnat.pdf (old but still valid)
> ...

 

I totaly agree with you that there are dozens of facts that CAN be caused by NAT, but can be caused by something else.

as for the example of the 2 PMTU policies: a possible explanation would be a dual boot system. (yet, it won't explain when both behaviours happen in the timespan of seconds)

It all boils down to statistics: there is a chance that your truly random IPID's might look like the combination of 2 incrementing IPID's. But statistics point out that you're probabely just natting...

but even if you combine some random IPID-machines with some "regular" ones: the resulting IPID stream will look random enough at first sight.

but again: I'm not telling that NAT is undetectable, I'm just telling that, if you're well informed, you can come up with "alternative" causes of the behaviour. Which might be good enough to get the new tech-guy over at your ISP off your ass.

but if they really want to get you... you'd better get paranoid and completely rewrite the whole packet...

----------

## think4urs11

 *nielchiano wrote:*   

> ...but again: I'm not telling that NAT is undetectable...

 

well...   :Wink: 

 *nielchiano wrote:*   

> ...there is no way for them to detect wheater you are running nat or not...

 

Back beeing serious... 

I think we can agree now that it is possible - tricky in some cases, maybe just due to some weired statistics but nevertheless - from an observers point of view - 'more possible' than any other explanation for a seen behaviour.

And there are cases where you can't hide effectifely, e.g. for windows machines; at least i am not aware of a way to change its ip stack (on a productive machine) on a level as low down in the ip stack as what would be needed for that. (taken aside the possibilty to use a nat gateway in front which does the job)

So for the original question the answer should be something like

'yes it is is possible but if you try to cheat them you'd better know your business better than their network wizards do and you are prepared to handle all possible technical issues which come up due to this cheating by yourself'

----------

## Mroofka

So far I've lerned one thing that FreeBSD is better than Gentoo for internet sharing. I hope that in my case the ISP won't be very agressive and will use only the simpliest ways to discover and disable my NAT. Ways witch I'll be able to cheat.

I assum that ther is no way to make the IPid's on Gentoo ??

Pozdrawiam

----------

## nielchiano

 *Mroofka wrote:*   

> I assum that ther is no way to make the IPid's on Gentoo ??

 

The GR-security patches allow you to have random IPID's on your IP-stack. What it does to NATed packets: I don't know...

I think I'll try it to find out.... but then again... I have an exam tomorrow.... better not...

----------

## lbrtuk

 *Mroofka wrote:*   

> So far I've lerned one thing that FreeBSD is better than Gentoo for internet sharing.

 

No - OpenBSD. They are not the same thing.

----------

## virco

Most of the time, ISPs just set TTL of packets going from their routers to you to 1. 

I fix this with:

iptables -t mangle -A PREROUTING -i eth1 -m ttl --ttl-lt 2 -j TTL --ttl-set 64

where eth1 is the interface, connected to the ISP.

You should have TTL target and TTL match support compiled into the kernel or as module

----------

## Mroofka

I've faund exactly what I need but unfortunetly the project is very old and nearly usless today:

The newest version is for kernel's 2.4.18

http://ippersonality.sourceforge.net/index.html

Maby somebody knows something like this witch is desingned for 2.6 kernells?

Pozdrawiam

----------

## skyfolly

my isp has been able to detect how many PCs i have been using on the ADSL line(6 of them), ever since they have locked down my connection and set down the limit to one PC, after fighting with them, they said they could give me 3, wtf.

i am still looking for ways to bypass their trick.

----------

