From 2c81cf207cd1f60be6c1a3111878d28a13359058 Mon Sep 17 00:00:00 2001
From: Pavel 'LEdoian' Turinsky <ledoian@matfyz.cz>
Date: Wed, 8 May 2024 13:24:41 +0200
Subject: [PATCH] TIL: bogus NAT

---
 content/masquerade-with-filter.rst | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 content/masquerade-with-filter.rst

diff --git a/content/masquerade-with-filter.rst b/content/masquerade-with-filter.rst
new file mode 100644
index 0000000..c09374f
--- /dev/null
+++ b/content/masquerade-with-filter.rst
@@ -0,0 +1,26 @@
+Only NAT packets you can deliver responses for
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+:slug: masquerade-with-filter
+:date: 2024-05-08
+:tags: linux
+:category: til
+:keywords: nat, nftables, network
+:lang: en
+:translation: false
+:status: published
+
+When setting up a masquerading nat, it is worth considering masquerading only
+packets from known networks. That is, instead of rule like ``iifname eth-inside
+masquerade`` use something like ``iifname eth-inside ip saddr 198.51.100.0/24
+masquerade``.
+
+I learned the hard way: my laptop in a masqueraded network picked a wrong
+source address from a subnet the router had no knowledge about. The outbound
+packets passed through right, but the responses came in, undergone translation,
+and since the destination was unknown to the router, it used the *default*
+route, sending the packet back to the ISP.
+
+The result: IDS triggered by *many* packets from my router with source IP
+addresses from all around the Internet, all with destination to my private
+address. (The ISP was not happy about that.)