Masquerading working, but "Outside" network can still route inbound

[chubba43341]

Hi, I am curious about a workshop/test setup I have here..

I have a Linux box setup with two NICs -

eth0 (WAN) - 10.65.12.1/24
eth1 (LAN) - 192.168.3.1/24

Default GW 10.65.12.254

I've enabled kernel IP forwarding and configured masquerading on eth0 -

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

As expected, devices on 192.168.3.0 can access the Internet via masquerading on 10.65.12.1

If a rogue device on the 10.65.12.0 segment (ie 10.65.12.33) sets a static route for 192.168.3.0 via 10.65.12.1... this device can route directly to LAN devices. Is this normal behavior? How could this be stopped?

Cheers and thanks.

[voidpointer69]

chubb.

Well, you cannot given the setup you have configured. If you think about it, it's all working as it should be. The thing you need to address is what is the inbound traffic from 10.65.12.33? You probably need to configure a firewall against 10.65.12.0 restricting what connections you want to allow through it.