Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm building a linux router with WAN and LAN interface (classic LAN access to the internet with a web server on the LAN)
I see a lot of tutorials describing how to enable masquerading, then allowing traffic to get forwarded between WAN and LAN interfaces and I think I understand it well.
But there is a case that I didn't see covered and I am wondering if it is a valid concern.
Let's say the WAN is 10.1.1.0/24 and LAN is 192.168.1.0/24. My WAN interface will get assigned IP 10.1.1.100.
What if my WAN interface receives a packet for 192.168.1.2? My guess is that the packet will get forwarded into my LAN right?
This case could happen if another user on 10.1.1.0 (let's say that guy is 10.1.1.200). He add a route for 192.168.1.0/24 -> GW(10.1.1.100).
This would mean that another customer of my ISP (or even my ISP directly) could access my whole private network? I'm guessing that my ISP would
have rules that would prevent that, but you can never be too sure.
So I would need a rule in PREROUTING that drops all traffic destined to 192.168.1.0/24 incomming on the WAN interface. That rule would obviously need to be before the DNAT rules that forwards to my web server and other servers.
Is that a valid concern? Or am I making a big mistake somewhere?
It seems it is impossible to create such a rule. iptables doesn't allow DROP in the POSTROUTING chain.
I tried to create this scenario and it is indeed an issue.
With a bunch of hardware I was able to simulate what would be my ISP's router. If my ISP was to create a route such as "whatever wants to go to 192.168.1.0/24 gets forwarded to the GW at a.b.c.d" and a.b.c.d is my WAN IP. It worries me because no one talks about that so I am guessing a lot of people are having that hole. Of course, to exploit that, we would need to be on the same subnet as their WAN subnet.
The packet does go through my WAN interface and travels down to any host in my LAN. I want to avoid this with something like: iptables -t nat -A PREROUTING -i eth0 -j DROP -d 192.168.1.0/24. This would make sense because I am only expecting traffic destined to the WAN address on that interface.
I can't add the rule in the FORWARD chain because in POSTROUTING, I do some DNAT, so those port-redirect would match and get dropped.
I think this is what you mean. Your issue is how do packet move based on what you suspect as an IP deal but I think you also have mac addressing going on so your client won't exactly be the same as some client on the ISP.
However, depending on your ISP you could be exposing your lan (everyone) to others who are in your area. Also there are automated bots that peek and poke at every connection to see how far they can get.
What I ended up doing, and I am surprised that there are no other ways, is to "mark" the packets incomming on the WAN interface that are destined to the local subnet. The mangle rule happens before the nat rules so the match will be done before DNAT.
Code:
iptables -A PREROUTING -i $WANPORT -t mangle -d 192.168.0.0/16 -j MARK --set-mark 242
Then, from the FORWARD chain, I drop those packets.
Code:
iptables -A FORWARD -i $WANPORT -m mark --mark 242 DROP
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.