Recently we are deploying Windows Server 2008 R2 as the NAT gateway of our private network. During the testing, we found that the RRAS was doing its job as the NAT gateway, however it seemed that hosts in the private network were allowed to access any listening port opened on the server side (2008 R2). In the normal scenario, the server side will have the process "wininit.exe" running and listening on the TCP port 49152. We confirmed that all hosts in the private network were be able to connect to TCP port 49152 opened on the server (connecting by using the NAT's public IP), which introduced lots of security concerns and made us nervous. Since the server is acting as a NAT, IP packets sent by hosts in the private network will be translated and forwarded as if it is generated by the NAT server itself. Thus, the windows firewall will not block the connection at all while dealing with "local" traffic, which actually is the traffic from the host in the private network.
What we need is a mechanism that can block the hosts in the private network to access the TCP/UDP ports opened on the NAT server side. Since the NAT server has it IP on the public network assigned dynamically (DHCP), static IP filtering on the private NIC does not fit our needs (Or probably we may use some hidden but advanced filter settings?). Which policy or setting should be used in our case?