simple question about ip_forward and NAT routing.

Hi, I have a simple question for some time now. If ip_forward is ON on a
machine, is every computer on the same subnet able to get it to be its
default gateway and get bandwidth from it (e.g. from an internet
connection that machine has for its own), when the purpose was for example
to plug in a laptop? Yes, No? If yes, what's the way to exclude all the
other machines without doing any weird routing that cuts them off
completely? thanks.

meneg wrote:
> Hi, I have a simple question for some time now. If ip_forward is ON on a
> machine, is every computer on the same subnet able to get it to be its
> default gateway and get bandwidth from it (e.g. from an internet
> connection that machine has for its own), when the purpose was for example
> to plug in a laptop? Yes, No? If yes, what's the way to exclude all the
> other machines without doing any weird routing that cuts them off
> completely? thanks.

Yes, if you have ip_forward activated any machine that can route
traffic to the server can use it as a gateway. If the server it's
acting as a NAT router then the traffic will be NATed and the machine
can access the internet.

The way to stop this behaviour it's very easy. Just use some iptables
rules to allow only traffic for the hosts you want in the FORWARD
chain or if you are using SNAT or MASQUERADE just do it for the IPs
you want. You can do it also in other manner, allow all the traffic
from the subnet and DROP the packets in the FORWARD chain for the
machines you don't want to have access to Internet.

You can even use the iproute2 funcionality and the ip command to
add some rules for source routing, and allow only to route the
packets to the net from the host you want.

As you can see you have quite a lot of approaches to the problem.

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

On Wed, 30 Mar 2005 21:36:31 +0200, Jose Maria Lopez Hernandez wrote:

thanks for the response, it's very helpfull.

about this..

> any machine that can route traffic to the server

forgive my ignorance, I'm only using the functionality to share an
internet connection with a laptop but which are the machines that can
"route traffic to the server"? that excludes the rest of the internet
or/and other subnets in the LAN?

meneg wrote:
> On Wed, 30 Mar 2005 21:36:31 +0200, Jose Maria Lopez Hernandez wrote:
>
> thanks for the response, it's very helpfull.
>
> about this..
>
>
>>any machine that can route traffic to the server
>
>
> forgive my ignorance, I'm only using the functionality to share an
> internet connection with a laptop but which are the machines that can
> "route traffic to the server"? that excludes the rest of the internet
> or/and other subnets in the LAN?


I meant the machines that can send traffic to the server (the router),
if a machine it's in the same subnet then it can send traffic to the
router, and if the router has ip_forward activated then it can be
forwarded to other networks connected to the router, for example the
Internet. If the machine is in other subnet usally it can't send traffic
to the router. So: if the machine can connect to the router it can use
it to forward traffic, if it cannot then it cannot use it as a gateway.

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"