Menu
What's new
By:
Filters Better Search

Redirect pings from WAN to internal network for router to respond?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

ml70

Regular Contributor
Would this be enough or will it go wrong somewhere, because my wan ip's are dhcp i'd need something like a reverse masquerade:
Code: 
iptables -t nat -A PREROUTING -p icmp -i ! br0 -d 192.168.0.0/16 --icmp-type echo-request -j DNAT --to 127.0.0.1
Or should i make an active script which gets wan_ipaddr from nvram and fills it into the rule instead of localhost.

Or maybe the actual solution is something different? I thought about using this for incoming icmp 5, 8, 13, 15, 17, 30. Maybe other stuff too if it works well, to keep the internal network completely nonvisible from the isp's 10.x.x.x network my router is connected to.

It's hard to test this because i can't have myself pinged from the isp network, and iptables counters are still at zero.
 
I really don't understand what you are trying to achieve here.

icmp pings aren't forwarded to your LAN (unless you've manually created an iptables rule). If someone, even your ISP, pings your WAN address they're only hitting your router not anything on your LAN.
 
I was thinking about icmp messages with source routing, someone on the same internal network (10.0.0.0/8) who tries to find out more about my network could randomly poke my 10.0.1.100 address with source routing pointing to private network address space and wait for replies.

And in order to avoid this, dnat all/some icmp messages coming from wan with destination in private address space to the router instead.
 
Last edited:
Weird, yesterday when i checked /proc/sys/net/ipv4/conf/default/accept_source_route it was 0, indicating source routing is disabled, and i thought it's the default and didn't pursue this issue further (my rules had received 0 hits).

But today after reboot, it shows 1...

Edit: oopss seems i got confused between /default and /all, accept_redirects and accept_source_route are luckily disabled in /all.
 
Last edited:
You must log in or register to reply here.

Similar threads

A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
Nick B
Allowing Incoming WAN Connections for WireGuard Client Listed in Director
Replies
7
Views
2K
arkywein
A
P
Tutorial Subnetting isolation without a VLAN switch
Replies
6
Views
959
Justinh
J
D
RT-AX58U wireguard iptables config for site to site with wg_manager vs wg-quick
Replies
12
Views
2K
dominatorstang
D
J
Could a router be hacked from WAN end if firmware always up to date, no portwarding, no upnp and wifi disabled.
Replies
5
Views
2K
coxhaus
C
Similar threads
Thread starter Title Forum Replies Date
K Redirect subdomains to ports Asuswrt-Merlin 8
D Redirect port 443 to 8443 Asuswrt-Merlin 6
pianopete Solved How to redirect my local domain to an externally hosted web server Asuswrt-Merlin 1
orudie VPN does not auto connect after primary WAN disconnects and Secondary WAN becomes active. When primary WAN reconnects again then VPN auto reconnects Asuswrt-Merlin 5
S Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf Asuswrt-Merlin 1
Z Dual WAN + Dual Firewall Asuswrt-Merlin 11
M RT-AX86U Pro - Merlin: can't get p2p cameras available to wan. Asuswrt-Merlin 4
ollimoe RT-BE88U and Dynamic WAN Port MAC? Asuswrt-Merlin 0
M 802.1q VLAN tagging menu missing for WAN interface (Asus RT-AX86U Pro) Asuswrt-Merlin 4
U How to switch secondary WAN to Hot-Standby? Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 871 (members: 32, guests: 839)
Top