13
submitted 7 months ago* (last edited 7 months ago) by PaX@hexbear.net to c/linux@lemmy.ml

can someone else use my machine as a router to forward traffic to anywhere else on the internet?

I'm not entirely sure what the security implications of that would even be if true but probably nothing good

I don't have any other routes in my routing table other than my "default" route and this machine is reachable via a globally routable IPv4 address. Also I think there are probably other machines on the same subnet (cloud VPS)

top 2 comments
sorted by: hot top controversial new old
[-] Max_P@lemmy.max-p.me 8 points 7 months ago* (last edited 7 months ago)

Yeah, it'll forward anything that makes its way. Although it doesn't mean you can just proxy anyway through it. If it's on the public Internet for example, sure it would theoretically forward to 10.0.0.0/8 range, but you need a packet addressed to 10.0.0.0/8 to somehow make it to your box in the first place, which you can't do as each hop makes an independent routing decision.

Neighbours on a cloud VPS are definitely the most likely to be able to exploit this, assuming you have a private IP on a shared network somehow and they let you talk to other VMs directly via their private IP. Making a virtual network just for the customer's VMs is incredibly cheap, and most cloud providers either have you make a virtual network or they just come with a default one that's still all yours, so this is less and less common unless you're on some super old VPS host that did it the lazy way. But even if you're literally on a friend's Proxmox, it's trivial to set up a dedicated virtual network. Even VirtualBox lets you easily make virtual networks.

I'd still set up the firewall though, even if it's just a -A FORWARD -i eth2 -j DROP to explicitly disallow forwarding from the publicly exposed interface, if you really want to blindly trust and forward to internal VPNs and VMs and containers and whatnot you have going that you want to enable forwarding for. But it's really not that hard to set up basic sanity rules like, don't forward traffic coming from the public interface to anywhere.

Things like firewalld or ufw can help you with firewall stuff.

[-] PaX@hexbear.net 3 points 7 months ago* (last edited 7 months ago)

Ohh that's true, I didn't think about that. It would be difficult to route anything through it unless you were connected directly to it with nothing in-between because no other router would forward packets destined for somewhere else to my machine (except maybe in the extremely unlikely case of source routing?). It seems obvious now lol, thank you!

I'll write some firewall rules just in case

this post was submitted on 19 Apr 2024
13 points (100.0% liked)

Linux

48317 readers
718 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS