Hi,

I'm building a linux router with WAN and LAN interface (classic LAN access to the internet with a web server on the LAN)
I see a lot of tutorials describing how to enable masquerading, then allowing traffic to get forwarded between WAN and LAN interfaces and I think I understand it well.

But there is a case that I didn't see covered and I am wondering if it is a valid concern.

Let's say the WAN is 10.1.1.0/24 and LAN is 192.168.1.0/24. My WAN interface will get assigned IP 10.1.1.100.

What if my WAN interface receives a packet for 192.168.1.2? My guess is that the packet will get forwarded into my LAN right?
This case could happen if another user on 10.1.1.0 (let's say that guy is 10.1.1.200). He add a route for 192.168.1.0/24 -> GW(10.1.1.100).

This would mean that another customer of my ISP (or even my ISP directly) could access my whole private network? I'm guessing that my ISP would
have rules that would prevent that, but you can never be too sure.

So I would need a rule in PREROUTING that drops all traffic destined to 192.168.1.0/24 incomming on the WAN interface. That rule would obviously need to be before the DNAT rules that forwards to my web server and other servers.

Is that a valid concern? Or am I making a big mistake somewhere?

Thank you.

If you don't want that outside, such as from WAN, access your LAN, the rule you mentioned should be added.

It seems it is impossible to create such a rule. iptables doesn't allow DROP in the POSTROUTING chain.

I tried to create this scenario and it is indeed an issue.
With a bunch of hardware I was able to simulate what would be my ISP's router. If my ISP was to create a route such as "whatever wants to go to 192.168.1.0/24 gets forwarded to the GW at a.b.c.d" and a.b.c.d is my WAN IP. It worries me because no one talks about that so I am guessing a lot of people are having that hole. Of course, to exploit that, we would need to be on the same subnet as their WAN subnet.

The packet does go through my WAN interface and travels down to any host in my LAN. I want to avoid this with something like: iptables -t nat -A PREROUTING -i eth0 -j DROP -d 192.168.1.0/24. This would make sense because I am only expecting traffic destined to the WAN address on that interface.

I can't add the rule in the FORWARD chain because in POSTROUTING, I do some DNAT, so those port-redirect would match and get dropped.

How is this ususally implemented?

While you are working on it, take a look here for some ideas. https://help.ubuntu.com/community/In...nectionSharing

I think this is what you mean. Your issue is how do packet move based on what you suspect as an IP deal but I think you also have mac addressing going on so your client won't exactly be the same as some client on the ISP.

However, depending on your ISP you could be exposing your lan (everyone) to others who are in your area. Also there are automated bots that peek and poke at every connection to see how far they can get.

What I ended up doing, and I am surprised that there are no other ways, is to "mark" the packets incomming on the WAN interface that are destined to the local subnet. The mangle rule happens before the nat rules so the match will be done before DNAT.

Then, from the FORWARD chain, I drop those packets.