Answer the question
In order to leave comments, you need to log in
How to disable "double" NAT?
Hello. There is an interesting task. There is a small network. As a gateway to the Internet, a Linux computer based on CentOS. Internet access is allowed only for some computers (filtering by IP addresses through iptables. In the DHCP config, addresses are strictly tied to MACs). An advanced user, having a laptop connected via cable, or a computer with a WiFI adapter, can make an open access point by organizing NAT on his computer. It needs to be banned somehow. The following came to mind - TTL blocking. All packets sent directly to the gateway (through an unmanaged switch) have a TTL of 64. When passing through NAT, the TTL is reduced by one, i.e. it is already equal to 63. Therefore, it is possible to cut off all packets with TTL = 63 from the LAN on the gateway through Iptables, what I do (enp2s0 is an interface that "looks" to the locale):
iptables -A INPUT -i enp2s0 -m ttl --ttl-eq 63 -j DROP
Answer the question
In order to leave comments, you need to log in
Those. You think that only you can change the TTL-naive value :)
Perhaps it is worth limiting the number of simultaneous connections from one IP?
In addition to TTL, nothing changes completely in a packet that has passed through NAT. SRC address, SRC port (maybe), well, checksums. Yes, and with TTL is also a question. In Fra, for example, you can build a kernel with the STEALTH option, and then the TTL will not change in packets passing through NAT.
If sites still open on the tablet, see with tcpdump what kind of packets are going at this time between the laptop and the gateway. Different systems set different TTLs. Windows, for example, put down TTL 64, and frya - 128. It is possible that the tablet is also not 64. This does not explain the brakes, but explains the fact of opening sites.
Objectively speaking - technically in any way !
There will always be a boy who rides it.
But, if you have an organization, then this can be prohibited administratively.
Every sane organization has internal rules. There it is necessary to forbid creation of the left connections. Such piece is called "initiative gateway".
When applying for a job, each employee signs the procedure for using the information resources of the enterprise. It's forbidden there.
It remains only to catch violators. This can be done analytically.
If a regular workstation starts a lot of simultaneous outgoing connections, then it means that it either caught a Trojan or blocked the gateway on it.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question