Last active
June 8, 2022 18:23
-
-
Save tomty89/be4a45531e4048653943f0135566aa65 to your computer and use it in GitHub Desktop.
alternate approach to actually protect LAN hosts (from "WAN LAN" hosts) on a gateway (NAT != secure)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # not sure if raw or mangle makes more sense, but it seem to work fine as long as it's no "later" than dstnat | |
| type filter hook prerouting priority dstnat; policy accept; | |
| # the ". iif" part is probably irrelevant for this case, | |
| # it should probably be removed if the "usual" behavior of the input traffics needs to be retained | |
| # if it's for a "real" WAN, it might be desirable to also drop multicast (and even broadcast?) traffics | |
| iifname "$WAN" fib daddr . iif type != { local, broadcast, multicast } drop | |
| # apparently for some reason you need mangle instead if you do not want ". iif" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment