Should my server ever need to directly communicate with the NAT gateway?

Why I'm asking

As I was blocking access to local network addresses in iptables, I was about to put in exceptions (-j RETURN rules in the private network address filtering chains) for the gateway address, when I stopped and wondered whether that would actually be necessary.

I don't administer the router from the server, and I don't want any program on the system to be able to do that, or change my local IP or anything along those lines, so if I understand NAT correctly disallowing traffic to/from that IP shouldn't break anything.

But I'm not confident enough about my networking to say for sure, so I thought that, before I possibly messed something up (especially something subtle like a less secure but hard-to-notice configuration change), I thought I'd do a bit of crowdsourcing on the decision.

Answers

You should never need to communicate directly to a pure NAT gateway (ie. a device that does port/address rewriting and nothing else).

However, you probably don't have one of those. The typical home router provides, in addition to NAT, DHCP, DNS resolving, possibly an NTP server, UPnP hole-punching, and assorted other services. If you're sure your server doesn't use any of them (in particular, DNS resolution), you can set up the server's firewall to block contact.

Mark

Posted 2014-07-12T01:17:04.063

Reputation: 1 304

DNS -- At the moment, I only anticipate needing DNS relatively infrequently for things like installing updates and maybe checking the hostnames of connecting hosts. In light of that, do you think it might be a good idea to just set the default primary and secondary DNS servers to 8.8.8.8 and 8.8.4.4 (or something similar)? – Parthian Shot – 2014-07-12T05:57:13.620

NTP -- I'm using the ..pool.ntp.org servers. So that probably shouldn't be an issue. – Parthian Shot – 2014-07-12T05:58:08.397

UPnP -- ...I'm not sure. I'm pretty sure I don't, though. And from what I'm reading, it seems like exactly the kind of thing I'd want to avoid (punching universally accessible holes in the NAT). – Parthian Shot – 2014-07-12T06:03:56.343

Thank you, by the way. I wouldn't have guessed it did much more than NAT, DHCP, and maybe DNS. Guess I should look into what other services it (may be) providing. – Parthian Shot – 2014-07-12T06:04:21.437

For DNS, you might wish to stick a caching DNS resolver on the server. – Mark – 2014-07-12T07:30:00.097

A good thought. I actually manually added one IP address to the hosts file because one of my iptables rules has a hostname. A DNS cache would almost definitely be better- my only worry being that, from everything I've been reading, it's really easy to misconfigure a DNS server. Although that might have just been from the days before bind9, does worry me a bit. Is there a DNS caching solution you'd recommend? – Parthian Shot – 2014-07-12T08:08:56.483

I use Unbound.

– Mark – 2014-07-12T09:06:14.283

...After the question has been answered, and the answer accepted, and everything to do with the question pretty well resolved, some idiot moves this to Superuser? My question wasn't "Does my desktop need to access the gateway?", it was "Does my server?", and the question was specifically motivated by security concerns- sigh... Whatever. This is the site that people recommend questions be moved when they feel smugly superior, and that's just the way things are. – Parthian Shot – 2014-07-13T02:55:05.807