U
user242
Guest
Hi, I would like to know how to protect my lan from wan access.
I have 2 nic. 1 connected on a wan (let's say 72.1.2.1), the other on lan(192.168.1.1).
I have enabled ip masquerading and ip forwarding.
Lan can access wan with no problem. But what if another tenant on my wan (72.1.2.2) would add a route for 192.168.1.0/24-->[email protected]. My wan nic would receiving a packet destined to the lan and it would be forwarded correctly.
To avoid this, i could add a FORWARD rule to drop anything coming from the wan but then port forwarding through DNAT would not work anymore.
And i cant drop the packeta from POSTROUTING before DNAT is applied.
So what are my options here? This basically means that my ISP can access my entire LAN.
I have 2 nic. 1 connected on a wan (let's say 72.1.2.1), the other on lan(192.168.1.1).
I have enabled ip masquerading and ip forwarding.
Lan can access wan with no problem. But what if another tenant on my wan (72.1.2.2) would add a route for 192.168.1.0/24-->[email protected]. My wan nic would receiving a packet destined to the lan and it would be forwarded correctly.
To avoid this, i could add a FORWARD rule to drop anything coming from the wan but then port forwarding through DNAT would not work anymore.
And i cant drop the packeta from POSTROUTING before DNAT is applied.
So what are my options here? This basically means that my ISP can access my entire LAN.
