2

On my server, I have a default route to interface eth0. It has public internet address and faces ISP network. I have packet forwarding enabled, and few local interfaces/bridges with private 10.x.x.x addresses. Also, all packages that are outgoing to ISP network is masqueraded. The problem: if I understand correctly, any packet to non-existent 192.168.x.x address will be forwarded through public server interface (uplink) to my ISP. That is not desired.

How can I configure linux to prevent forwarding any packets with private network address destination through a public network interface? I guess just adding a single iptables rule would not be enough because there are multiple standard private network spaces (10.x.x.x, 192.16.x.x, 172.16.x.x and maybe others. Also ipv6 addresses aside). Is there any iptables plugin/system policy to accomplish that? I'd expect some system policy to mark the interface as uplink that faces internet.

Reasoning: my ISP does not like any packages with private network range destinations. I'm using a DNS server that is accessed through VPN to my work. So when VPN goes down, my ISP gets DNS requests to private network addresses and locks down the entire internet connection. They say that is done for security (just for the case if some virus overwrites my system DNS to a custom one).

Dmitriusan
  • 357
  • 3
  • 13

2 Answers2

3

You have one publicly-numbered interface eth0, which is your default route, and you don't want any traffic forwarded from any privately-numbered interfaces out the public one. Try

iptables -A FORWARD -o eth0 -j REJECT

Getting the rule in the right place in your FORWARD chain is left as an exercise. You should be able to generalise to ipv6 from there, also.

Edit: you can turn off all v4 forwarding with echo 0 > /proc/sys/net/ipv4/ip_forward, and all v6 forwarding with echo 0 > /proc/sys/net/ipv6/conf/all/forwarding. But you didn't say you wanted all forwarding off, just forwarding "from or to private network addresses through a public network interface". I'm not aware of any /proc structure to disable the forwarding of RFC1918 traffic only, and I'd be surprised if there were one.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • I expected some /proc/sys/net/ parameter (I thought forbidding private packages should be a common thing). Until no better answer is posted, marking this answer as accepted – Dmitriusan Oct 09 '17 at 10:15
  • @Dmitriusan how's the above edit? – MadHatter Oct 09 '17 at 11:03
  • looks like you are right and adding explicit iptables rules is the only way to accomplish that. In my case, v4 forwarding is used between internal bridges/interfaces and for masquerading traffic from internal networks to the internet. The only thing I'm trying to limit is forwarding invalid packages from an internal network to non-existing private range addresses like 192.168.x.x to ISP network. Probably I did not state that clearly in question. So Zip's answer with explicit iptables rules feels more correct. Thanks for your time and suggestions. – Dmitriusan Oct 10 '17 at 09:03
  • Edited my question to add more clarity – Dmitriusan Oct 10 '17 at 09:09
  • @Dmitriusan not a problem, glad you found an answer that pleased you! But if you take away a ServerFault learning experience from this, it might be to *ask the question that you actually want answered*. – MadHatter Oct 10 '17 at 09:28
  • yes, my bad. Will try to avoid questions that may be read in different ways next time – Dmitriusan Oct 10 '17 at 09:43
  • @Dmitriusan good for you! I look forward to reading them. – MadHatter Oct 10 '17 at 09:44
1

Any packet that doesn't match a routing rule on the system will be directed to the default route, if there is any. By default, if you have an IP assigned on a given network a routing rule will be added automatically forwarding that traffic to the assigned interface. If your server is not on these networks you want to block, then it's a good idea to check whatever is generating that traffic in order to get rid of it completely, otherwise you'll still have it bothering you on your local network devices.

The IANA private network IP ranges are pretty well defined and only 4, as can be seen even on this wikipedia article. I suggest you add firewall outbound blocking rules to these network ranges, as destinations, after allowing the ranges you actually use.

Example iptables commands:

iptables -A FORWARD -d 10.0.0.0/8 -j REJECT
iptables -A FORWARD -d 172.16.0.0/12 -j REJECT
iptables -A FORWARD -d 192.168.0.0/16 -j REJECT
ip6tables -A FORWARD -d fd00::/8 -j REJECT

Note: Traffic destined to these ranges is dropped on ISPs, as they will have nowhere to forward it to. Some, however, may impose restrictions on your traffic if you leak these packages. Also if you fear traffic inspection or leakage on the ISP level this is far from the only thing you need to do to secure yourself.

Zip
  • 204
  • 1
  • 7
  • 1
    The OP asks about packet forwarding, which traffic won't pass through either INPUT or OUTPUT chains, so those aren't going to help much with this question. – MadHatter Oct 08 '17 at 19:50
  • You're right MadHatter. I didn't pay enough attention. Edited accordingly. – Zip Oct 08 '17 at 20:17
  • Works for me; downvote removed. You can still do it in a single rule, though. – MadHatter Oct 08 '17 at 20:18
  • @Zip, my ISP does not like any packages with private network range destinations. I'm using a DNS server that is accessed through VPN to my work. So when VPN goes down, my ISP gets DNS requests to private network addresses and locks down the entire internet connection. They say that is done for security (just for the case if some virus overwrites my system DNS to a custom one) – Dmitriusan Oct 10 '17 at 09:17
  • @Dmitriusan interesting... Never seen that practice. Good to know... I'll edit the answer a bit... – Zip Oct 10 '17 at 20:38