Results 1 to 1 of 1
Enjoy an ad free experience by logging in. Not a member yet? Register.
5 Days Ago #1
- Join Date
- Apr 2017
Are iptables connection tracking rules specific to a particular table
Goal: To allow internal clients to initiate connections to hosts on the Internet and to block Internet hosts from initiating connections to or through the router.
a) The following rule drops NEW (state) connections from the wan_face.
iptables -t mangle -I PREROUTING -i wan_face -m state --state NEW -j DROP
b) The following rule allows a reply connection from the wan_face that was initiated by the router or an internal client.
iptables -t mangle -A PREROUTING -i wan_face -m state --state ESTABLISHED,RELATED -j ACCEPT
c) The following rules allow the router and internal clients to initiate connections and reply to wan_face hosts.
iptables -t mangle -A OUTPUT -o wan_face -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A FORWARD -o <lan_face> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Question 1: Since these rules are in the mangle table, if a packet's connection status is to be matched in the filter table, would the above rules have to be recreated specifying the filter table ?
Question 2: In section b, this rule allows incoming ESTABLISHED and RELATED traffic from the wan_face. Do the INPUT and FORWARD chains need the same rule or does the PREROUTING chain rule allow that traffic ?