Basic firewall forwarding allow rule question

ik3umt · December 11, 2019, 10:17am

Default filter rules include this one:

add action=accept chain=forward comment=“accept established,related,untracked” connection-state=established,related,untracked

If placed before a forward “drop-all” rule, does it still allow two lan subnets to talk each other ??

skylark · December 11, 2019, 11:38am

In default configuration drop rule comes with the “in-interface-list=WAN” parameter, so it does not match traffic coming from LAN.

anav · December 11, 2019, 2:45pm

Without knowing the config on your router its impossible to day for sure.

All my subnets are setup as vlans, so there is no layer 2 routing between them
Since I use a drop rule at the end of my forward chain, no routing between Vlans is allowed at layer 3
add action=drop chain=forward comment=“all other traffic blocked”

As for the rule that skylark notes…
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

I don’t like it because its not intuitively clear and I prefer breaking the functionality so that its readable.
1 - Port Forwarding
add action=accept chain=forward in-interface-list=WAN connection-state=new
connection-nat-state=dstnat
2. Block all other traffic
add action=drop chain=forward comment=“all other traffic blocked”

As for your scenario.
If the LANs do not have a layer2 connection (on same switch or bridge or some other way),
the last drop all rule should prevent Lan to Lan communication at L3.

ik3umt · December 11, 2019, 3:34pm

Let’s start from a fresh default config, forward chain ends with

add chain=forward action=accept connection-state=established,related,untracked comment=“defconf: accept established,related, untracked”
add chain=forward action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment=“defconf: drop all from WAN not DSTNATed”

Question is: if I modify it into:

add chain=forward action=accept connection-state=established,related,untracked comment=“defconf: accept established,related, untracked”
add chain=forward action=drop

Do lan-to-lan packets (L3) match the first rule or are them dropped by second one ?

Sob · December 11, 2019, 5:03pm

If you do this, router won’t forward anything at all, because in order to become established or related, the connection (its first packet) is always new first. Except untracked, but that’s controlled by rules in raw table and by default everything is tracked.

Just do the usual, it’s simple, safe and easy to understand:

accept established, related and untracked
drop invalid
accept what new connection should be allowed (lan1 to wan, lan2 to wan, lan1 to lan2, lan2 to lan1, connection-nat-state=dstnat for forwarded ports, whatever you need); no need to use connection-state here, because everything is new at this point
drop everything else

anav · December 11, 2019, 8:26pm

Sob obviously concurs with my advice
The reason I put in connection-state=new is because I am telling myself and the reader that its new. A polished MT programmer would know that automatically but I am far from it…

So between the first rule and last drop rule I typically have
allow LAN to WAN
allow VLAN to WAN
allow ADMIN to VLANs