Scenario: The router is configured to provide Internet access to internal clients and does not have open ports on the wan_face.

Goal: To allow internal clients to initiate connections to hosts on the Internet and to block Internet hosts from initiating connections to or through the router.

a) The following rule drops NEW (state) connections from the wan_face.

iptables -t mangle -I PREROUTING -i wan_face -m state --state NEW -j DROP

b) The following rule allows a reply connection from the wan_face that was initiated by the router or an internal client.

iptables -t mangle -A PREROUTING -i wan_face -m state --state ESTABLISHED,RELATED -j ACCEPT

c) The following rules allow the router and internal clients to initiate connections and reply to wan_face hosts.

iptables -t mangle -A OUTPUT -o wan_face -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t mangle -A FORWARD -o <lan_face> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Question 1: Since these rules are in the mangle table, if a packet's connection status is to be matched in the filter table, would the above rules have to be recreated specifying the filter table ?

Question 2: In section b, this rule allows incoming ESTABLISHED and RELATED traffic from the wan_face. Do the INPUT and FORWARD chains need the same rule or does the PREROUTING chain rule allow that traffic ?