You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
27 lines
1.0 KiB
ReStructuredText
27 lines
1.0 KiB
ReStructuredText
Only NAT packets you can deliver responses for
|
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
|
|
:slug: masquerade-with-filter
|
|
:date: 2024-05-08 13:32
|
|
:tags: linux
|
|
:category: til
|
|
:keywords: nat, nftables, network
|
|
:lang: en
|
|
:translation: false
|
|
:status: published
|
|
|
|
When setting up a masquerading nat, it is worth considering masquerading only
|
|
packets from known networks. That is, instead of rule like ``iifname eth-inside
|
|
masquerade`` use something like ``iifname eth-inside ip saddr 198.51.100.0/24
|
|
masquerade``.
|
|
|
|
I learned the hard way: my laptop in a masqueraded network picked a wrong
|
|
source address from a subnet the router had no knowledge about. The outbound
|
|
packets passed through right, but the responses came in, undergone translation,
|
|
and since the destination was unknown to the router, it used the *default*
|
|
route, sending the packet back to the ISP.
|
|
|
|
The result: IDS triggered by *many* packets from my router with source IP
|
|
addresses from all around the Internet, all with destination to my private
|
|
address. (The ISP was not happy about that.)
|