LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-18-2016, 08:21 AM   #1
user242
LQ Newbie
 
Registered: Jun 2016
Posts: 13

Rep: Reputation: Disabled
Routing from WAN into my LAN possible?


Hi,

I'm building a linux router with WAN and LAN interface (classic LAN access to the internet with a web server on the LAN)
I see a lot of tutorials describing how to enable masquerading, then allowing traffic to get forwarded between WAN and LAN interfaces and I think I understand it well.

But there is a case that I didn't see covered and I am wondering if it is a valid concern.

Let's say the WAN is 10.1.1.0/24 and LAN is 192.168.1.0/24. My WAN interface will get assigned IP 10.1.1.100.

What if my WAN interface receives a packet for 192.168.1.2? My guess is that the packet will get forwarded into my LAN right?
This case could happen if another user on 10.1.1.0 (let's say that guy is 10.1.1.200). He add a route for 192.168.1.0/24 -> GW(10.1.1.100).

This would mean that another customer of my ISP (or even my ISP directly) could access my whole private network? I'm guessing that my ISP would
have rules that would prevent that, but you can never be too sure.

So I would need a rule in PREROUTING that drops all traffic destined to 192.168.1.0/24 incomming on the WAN interface. That rule would obviously need to be before the DNAT rules that forwards to my web server and other servers.

Is that a valid concern? Or am I making a big mistake somewhere?

Thank you.
 
Old 11-18-2016, 04:14 PM   #2
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,838

Rep: Reputation: 160Reputation: 160
If you don't want that outside, such as from WAN, access your LAN, the rule you mentioned should be added.
 
Old 11-18-2016, 07:12 PM   #3
user242
LQ Newbie
 
Registered: Jun 2016
Posts: 13

Original Poster
Rep: Reputation: Disabled
It seems it is impossible to create such a rule. iptables doesn't allow DROP in the POSTROUTING chain.

I tried to create this scenario and it is indeed an issue.
With a bunch of hardware I was able to simulate what would be my ISP's router. If my ISP was to create a route such as "whatever wants to go to 192.168.1.0/24 gets forwarded to the GW at a.b.c.d" and a.b.c.d is my WAN IP. It worries me because no one talks about that so I am guessing a lot of people are having that hole. Of course, to exploit that, we would need to be on the same subnet as their WAN subnet.

The packet does go through my WAN interface and travels down to any host in my LAN. I want to avoid this with something like: iptables -t nat -A PREROUTING -i eth0 -j DROP -d 192.168.1.0/24. This would make sense because I am only expecting traffic destined to the WAN address on that interface.

I can't add the rule in the FORWARD chain because in POSTROUTING, I do some DNAT, so those port-redirect would match and get dropped.

How is this ususally implemented?
 
Old 11-18-2016, 10:13 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,886

Rep: Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615
While you are working on it, take a look here for some ideas. https://help.ubuntu.com/community/In...nectionSharing

I think this is what you mean. Your issue is how do packet move based on what you suspect as an IP deal but I think you also have mac addressing going on so your client won't exactly be the same as some client on the ISP.

However, depending on your ISP you could be exposing your lan (everyone) to others who are in your area. Also there are automated bots that peek and poke at every connection to see how far they can get.
 
Old 11-19-2016, 09:27 PM   #5
user242
LQ Newbie
 
Registered: Jun 2016
Posts: 13

Original Poster
Rep: Reputation: Disabled
What I ended up doing, and I am surprised that there are no other ways, is to "mark" the packets incomming on the WAN interface that are destined to the local subnet. The mangle rule happens before the nat rules so the match will be done before DNAT.

Code:
iptables -A PREROUTING -i $WANPORT -t mangle -d 192.168.0.0/16 -j MARK --set-mark 242
Then, from the FORWARD chain, I drop those packets.

Code:
iptables -A FORWARD -i $WANPORT -m mark --mark 242 DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dual WAN Destination-based Routing volivier Linux - Networking 1 10-01-2009 02:54 PM
LAN cannot access other LAN systems, only WAN Myrion Linux - Networking 1 09-06-2007 08:29 PM
Advanced routing across multiple WAN links ? michaelsanford Linux - Networking 1 06-28-2005 10:23 PM
Routing LAN -> WAN -> LAN with unhelpful router synx13 Linux - Networking 2 06-14-2004 03:35 PM
Wan PCI Card T1 Routing in Linux dbeltz Linux - Networking 1 04-19-2004 10:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration