TIL: bogus NAT

content/masquerade-with-filter.rst

@@ -0,0 +1,26 @@
+Only NAT packets you can deliver responses for
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+:slug: masquerade-with-filter
+:date: 2024-05-08
+:tags: linux
+:category: til
+:keywords: nat, nftables, network
+:lang: en
+:translation: false
+:status: published
+
+When setting up a masquerading nat, it is worth considering masquerading only
+packets from known networks. That is, instead of rule like ``iifname eth-inside
+masquerade`` use something like ``iifname eth-inside ip saddr 198.51.100.0/24
+masquerade``.
+
+I learned the hard way: my laptop in a masqueraded network picked a wrong
+source address from a subnet the router had no knowledge about. The outbound
+packets passed through right, but the responses came in, undergone translation,
+and since the destination was unknown to the router, it used the *default*
+route, sending the packet back to the ISP.
+
+The result: IDS triggered by *many* packets from my router with source IP
+addresses from all around the Internet, all with destination to my private
+address. (The ISP was not happy about that.)