FYI.

More info at this link

http://www.securityfocus.com/bid/1078

Jason Brown



SecurityFocus.com: Multiple Linux Vendor 2.2.x Kernel IP Masquerading
Vulnerabilities Apr 27, 2000, 00:47 UTC (0 Talkbacks) (463 reads)

[ Thanks to Gene Wilburn for this link. ] 

"A serious vulnerability exists in the IP Masquerading code present in, but not necessarily limited to, 
the 2.2.x Linux kernel. Due to poor checking of connections in the kernel
code, an attacker can potentially rewrite the UDP masquerading entries, making
it possible for UDP packets to be routed back to the internal machine." 

"The IP masquerading code only uses destination ports to determine if a packet 
from the external network is to be forwarded to the internal network. It then
sets the remote host and port in its tables to the source address and port of
the incoming packet. The attacker needs to determine the local port on the masq
gateway to be able to rewrite the table with their own address and port. As the
range of ports used to masquerade connections is small, from 6100 to 65096 for
both UDP and TCP, it becomes fairly easy for an external host to determine the
ports in use...."