can someone else use my machine as a router to forward traffic to anywhere else on the internet?
I’m not entirely sure what the security implications of that would even be if true but probably nothing good
I don’t have any other routes in my routing table other than my “default” route and this machine is reachable via a globally routable IPv4 address. Also I think there are probably other machines on the same subnet (cloud VPS)
Yeah, it’ll forward anything that makes its way. Although it doesn’t mean you can just proxy anyway through it. If it’s on the public Internet for example, sure it would theoretically forward to 10.0.0.0/8 range, but you need a packet addressed to 10.0.0.0/8 to somehow make it to your box in the first place, which you can’t do as each hop makes an independent routing decision.
Neighbours on a cloud VPS are definitely the most likely to be able to exploit this, assuming you have a private IP on a shared network somehow and they let you talk to other VMs directly via their private IP. Making a virtual network just for the customer’s VMs is incredibly cheap, and most cloud providers either have you make a virtual network or they just come with a default one that’s still all yours, so this is less and less common unless you’re on some super old VPS host that did it the lazy way. But even if you’re literally on a friend’s Proxmox, it’s trivial to set up a dedicated virtual network. Even VirtualBox lets you easily make virtual networks.
I’d still set up the firewall though, even if it’s just a
-A FORWARD -i eth2 -j DROP
to explicitly disallow forwarding from the publicly exposed interface, if you really want to blindly trust and forward to internal VPNs and VMs and containers and whatnot you have going that you want to enable forwarding for. But it’s really not that hard to set up basic sanity rules like, don’t forward traffic coming from the public interface to anywhere.Things like firewalld or ufw can help you with firewall stuff.
Ohh that’s true, I didn’t think about that. It would be difficult to route anything through it unless you were connected directly to it with nothing in-between because no other router would forward packets destined for somewhere else to my machine (except maybe in the extremely unlikely case of source routing?). It seems obvious now lol, thank you!
I’ll write some firewall rules just in case