|
|
|
|
|
<!doctype html>
|
|
|
|
|
|
<html>
|
|
|
|
|
|
<head>
|
|
|
|
|
|
<meta charset=utf-8>
|
|
|
|
|
|
<meta name=generator content="Pelican 4.9.1">
|
|
|
|
|
|
<meta name=author content="LEdoian">
|
|
|
|
|
|
<meta name=description content="My personal webpage">
|
|
|
|
|
|
<meta name=referrer content=no-referrer>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<link rel=stylesheet href="./theme/css/theme.css">
|
|
|
|
|
|
|
|
|
|
|
|
<title>Only NAT packets you can deliver responses for – LEdoian's Blog</title>
|
|
|
|
|
|
</head>
|
|
|
|
|
|
<body>
|
|
|
|
|
|
|
|
|
|
|
|
<header>
|
|
|
|
|
|
<h1>LEdoian's Blog</h1>
|
|
|
|
|
|
</header>
|
|
|
|
|
|
|
|
|
|
|
|
<div id=main>
|
|
|
|
|
|
<nav>
|
|
|
|
|
|
<div>
|
|
|
|
|
|
<!-- Main navigation -->
|
|
|
|
|
|
<!-- TODO! -->
|
|
|
|
|
|
</div>
|
|
|
|
|
|
<div>
|
|
|
|
|
|
<h2>Categories</h2>
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li><a href="./category/networking.html">networking</a></li>
|
|
|
|
|
|
<li><a href="./category/queer.html">queer</a></li>
|
|
|
|
|
|
<li><a href="./category/talks.html">talks</a></li>
|
|
|
|
|
|
<li><a href="./category/technology.html">technology</a></li>
|
|
|
|
|
|
<li><a href="./category/til.html">til</a></li>
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<h2>Tags</h2>
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li><a href="./tag/linux.html">linux</a></li>
|
|
|
|
|
|
<li><a href="./tag/lifehack.html">lifehack</a></li>
|
|
|
|
|
|
<li><a href="./tag/software.html">software</a></li>
|
|
|
|
|
|
<li><a href="./tag/relationships.html">relationships</a></li>
|
|
|
|
|
|
<li><a href="./tag/identity.html">identity</a></li>
|
|
|
|
|
|
<li><a href="./tag/print.html">print</a></li>
|
|
|
|
|
|
<li><a href="./tag/comics.html">comics</a></li>
|
|
|
|
|
|
<li><a href="./tag/ipv6-only.html">ipv6-only</a></li>
|
|
|
|
|
|
<li><a href="./tag/dns.html">dns</a></li>
|
|
|
|
|
|
<li><a href="./tag/meta.html">meta</a></li>
|
|
|
|
|
|
<li><a href="./tag/infrastructure.html">infrastructure</a></li>
|
|
|
|
|
|
<li><a href="./tag/smrst.html">smršť</a></li>
|
|
|
|
|
|
<li><a href="./tag/trains.html">trains</a></li>
|
|
|
|
|
|
<li><a href="./tag/software-engineering.html">software-engineering</a></li>
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
<div>
|
|
|
|
|
|
<h2>Stalk me also at</h2>
|
|
|
|
|
|
TODO!
|
|
|
|
|
|
|
|
|
|
|
|
<h2>I stalk</h2>
|
|
|
|
|
|
TODO!
|
|
|
|
|
|
</nav>
|
|
|
|
|
|
|
|
|
|
|
|
<main>
|
|
|
|
|
|
<div>
|
|
|
|
|
|
<div class="details"><time datetime="2024-05-08T13:32:00+02:00">2024-05-08 13:32</time></div>
|
|
|
|
|
|
<h1>Only NAT packets you can deliver responses for</h1>
|
|
|
|
|
|
<p>When setting up a masquerading nat, it is worth considering masquerading only
|
|
|
|
|
|
packets from known networks. That is, instead of rule like <tt class="docutils literal">iifname <span class="pre">eth-inside</span>
|
|
|
|
|
|
masquerade</tt> use something like <tt class="docutils literal">iifname <span class="pre">eth-inside</span> ip saddr 198.51.100.0/24
|
|
|
|
|
|
masquerade</tt>.</p>
|
|
|
|
|
|
<p>I learned the hard way: my laptop in a masqueraded network picked a wrong
|
|
|
|
|
|
source address from a subnet the router had no knowledge about. The outbound
|
|
|
|
|
|
packets passed through right, but the responses came in, undergone translation,
|
|
|
|
|
|
and since the destination was unknown to the router, it used the <em>default</em>
|
|
|
|
|
|
route, sending the packet back to the ISP.</p>
|
|
|
|
|
|
<p>The result: IDS triggered by <em>many</em> packets from my router with source IP
|
|
|
|
|
|
addresses from all around the Internet, all with destination to my private
|
|
|
|
|
|
address. (The ISP was not happy about that.)</p>
|
|
|
|
|
|
|
|
|
|
|
|
</div>
|
|
|
|
|
|
</main>
|
|
|
|
|
|
</div> <!-- #main -->
|
|
|
|
|
|
|
|
|
|
|
|
<footer>
|
|
|
|
|
|
<hr>
|
|
|
|
|
|
Written using Pelican 4.9.1 by LEdoian.
|
|
|
|
|
|
</footer>
|
|
|
|
|
|
|
|
|
|
|
|
</body>
|
|
|
|
|
|
</html>
|
