Re: simple question about ip_forward and NAT routing.

From: Jose Maria Lopez Hernandez (
Date: 03/30/05

Date: Wed, 30 Mar 2005 21:36:31 +0200

meneg wrote:
> Hi, I have a simple question for some time now. If ip_forward is ON on a
> machine, is every computer on the same subnet able to get it to be its
> default gateway and get bandwidth from it (e.g. from an internet
> connection that machine has for its own), when the purpose was for example
> to plug in a laptop? Yes, No? If yes, what's the way to exclude all the
> other machines without doing any weird routing that cuts them off
> completely? thanks.

Yes, if you have ip_forward activated any machine that can route
traffic to the server can use it as a gateway. If the server it's
acting as a NAT router then the traffic will be NATed and the machine
can access the internet.

The way to stop this behaviour it's very easy. Just use some iptables
rules to allow only traffic for the hosts you want in the FORWARD
chain or if you are using SNAT or MASQUERADE just do it for the IPs
you want. You can do it also in other manner, allow all the traffic
from the subnet and DROP the packets in the FORWARD chain for the
machines you don't want to have access to Internet.

You can even use the iproute2 funcionality and the ip command to
add some rules for source routing, and allow only to route the
packets to the net from the host you want.

As you can see you have quite a lot of approaches to the problem.


Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
bgSEC Seguridad y Consultoria de Sistemas Informaticos
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                 -- Jack Kerouac, "On the Road"