Only NAT packets you can deliver responses for @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ :slug: masquerade-with-filter :date: 2024-05-08 13:32 :tags: linux :category: til :keywords: nat, nftables, network :lang: en :translation: false :status: published When setting up a masquerading nat, it is worth considering masquerading only packets from known networks. That is, instead of rule like ``iifname eth-inside masquerade`` use something like ``iifname eth-inside ip saddr 198.51.100.0/24 masquerade``. I learned the hard way: my laptop in a masqueraded network picked a wrong source address from a subnet the router had no knowledge about. The outbound packets passed through right, but the responses came in, undergone translation, and since the destination was unknown to the router, it used the *default* route, sending the packet back to the ISP. The result: IDS triggered by *many* packets from my router with source IP addresses from all around the Internet, all with destination to my private address. (The ISP was not happy about that.)