Posted: Thu Mar 24, 2011 11:51 Post subject: iptables FORWARD curiosity
I'm using a Buffalo WZR-HP-G300NH with the "official" Buffalo v2.4 14998 firmware. I've encountered a weird problem related to my iptables commands that I could use some input on.
I want to block incoming connections based on a fairly wide range of IP addresses (private server, so anywhere I don't travel to gets blocked). Here's an example in my firewall commands (all one line):
With that set, indeed nobody in that port range can connect in. So far, so good.
*But*, now I also can't browse to anything in that range. For example, this very site happens to be hosted at an 83.141.4.210 address, and with the above line in my firewall, I can't connect.
After more reading, I thought replacing "FORWARD" with "INPUT" might do the trick, but while I can now connect out, everybody can connect in. So that command seems to do nothing at all.
If you want to prevent them from initiating connections to you but still allow yourself to initiate connections to them then add this to the rule:
-m state --state NEW _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Thanks for that. A quick test indicates that I can connect out with that added. I'll add it to all my rules, and then monitor for incoming connections to make sure it's working (not that I doubt you, of course).
