Is it possible to config your machine to 'invisibly' route the packets?

  • Thread starter Thread starter Realme
  • Start date Start date
  • Replies Replies 5
  • Views Views 1,068
Messages
999
Location
NA
ISP
BSNL
Aimed Machine: I just wanna know how it can be done so a tutorial for windows, bsd or linux is appreciated.

What I want is that my machine/router drop every packet addressed to it as Destination address and just invisibly route the other packets.

User --> Packet to Google--> Local Machine --> Packet forwarded to WAN
User --> SMB/local http server request -->Local Machine --> Packet forwarded to local machine on LAN (sound like ethernet haha)

User --> Sends packet to Local Machine IP/Tries to 'access' it ---> Local Machine just 'drops' the packet, no response or anything.

The local machine should only be accessible through one specific port reserved for admin/config purpose
 
This can be on on Windows using Windows firewall, on Linux with IPTables or UFW.

You want to block certain ports right?
 
Windows or linux is appreciated.

What I had in my mind was:

say your machine has 3+1 physical port, the +1 physical port is reserved for admin purpose, it's the only port through which MACHINE will accept any packet addressed to it in Destination IP field.

And the other 3 ports are route ports. They just receive packets and forward them (subject to certain filters and logging)
BUT it won't reply to any packet addressed to the machine on those 3 ports, indirectly making machine to not connectible or invisible to other devices on the network

The devices may sense the presence, they know that this machine will forward their packets but they can't access the machine (NOT EVEN an access denied message will be sent by the machine)
The machine IP address must be masked in Tracert.
 
A few pointers for Linux based router.

What to do
Add iptable rule to accept only those which have a mapping in nat table/or are established connections
Drop everything else except ssh (remember to add ssh as exception else you will be locked out)

Test and check. Once ready change the ssh port and add port knocking.
 
to mask tracert all you have to do is block ICMP.

BUT it won't reply to any packet addressed to the machine on those 3 ports, indirectly making machine to not connectible or invisible to other devices on the network

You will need to drop all incoming traffic. Can be done easily. Windows Firewall already drops incoming traffic implicitly by default for example.

say your machine has 3+1 physical port, the +1 physical port is reserved for admin purpose, it's the only port through which MACHINE will accept any packet addressed to it in Destination IP field.

You can just drop all packets from any protocol to destination of that physical port. These physical ports are usually assigned interface numbers and unless the ports are bridged together, no traffic will flow between them. On Mikrotik for example 4x port interface are bridged together with LAN.

The devices may sense the presence, they know that this machine will forward their packets but they can't access the machine (NOT EVEN an access denied message will be sent by the machine)

This is fine, there are two ways of blocking packets, drop and reject. Drop straight up drops the packets without reply and Reject drops and sends a RST Packet back.




Is this a server? If it is a router, you should install something like RouterOS, PFSense, OPNSense etc, its way easier to do firewall rules on those. If it is a server that is behind a router, you can setup the firewall rules on your router instead.
 
These things are very easily possible if you have a manual routing table in your router or you are using a firewall. I'm using a Sophos XG firewall and it sure works, using it to store local cache steam game downloads.
 


Back