CTState - ESTABLISHED,RELATED - need to clarify

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Fri Aug 05, 2022 11:11    Post subject: CTState - ESTABLISHED,RELATED - need to clarify Reply with quote
This is as general question, not specific to DD-WRT. I need to make Scenario A equivalent to Scenario B restriction-wise.

Scenario A (API forces INPUT policy to be DROP and forces OUTPUT policy to be ACCEPT):
Code:
iptables -P INPUT DROP
iptables -I INPUT 1 -i ethZ -s X.X.X.X -d Y.Y.Y.Y -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 2 -i ethZ -s X.X.X.X -d Y.Y.Y.Y -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT
iptables -I OUTPUT 1 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 2 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 3 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -j DROP
iptables -I OUTPUT 4 -o ethZ -s Y.Y.Y.Y -d F.F.F.F -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 5 -j DROP


For Scenario A, does INPUT rule 3 make sense? I ask because I already specify tracking of NEW,ESTABLISHED,RELATED connections in INPUT rules 1 and 2. INPUT rule 3 should be redundant, yet INPUT rule 3 packet counter logs many accepted packets, more than the sum of accepted packets logged for rule 1 + rule 2. Is it because of OUTPUT rule 4?

Scenario B (API forces INPUT policy to be ACCEPT and forces OUTPUT policy to be ACCEPT):
Code:
iptables -P INPUT ACCEPT
iptables -I INPUT 1 -i ethZ -s X.X.X.X -d Y.Y.Y.Y -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 2 -i ethZ -s X.X.X.X -d Y.Y.Y.Y -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 4 -j DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT
iptables -I OUTPUT 1 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 2 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 3 -j DROP


INPUT tracking of ESTABLISHED and RELATED connections is always generated by API when INPUT policy is set to DROP, but never when INPUT policy is set to ACCEPT. For Scenario B, INPUT rule 4 is supposed to have the same function as policy being set to DROP. Scenario B OUTPUT rule 3 drops all traffic and there is no output to destination F.F.F.F (like in Scenario A). Should INPUT rule 3 be logging any packets in Scenario B?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Aug 05, 2022 12:04    Post subject: Reply with quote
Do not use line numbers that is highly unreliable.

Usually you have an Established,Related rule as first rule (so that is inserted last) and a DROP rule as last (that is Appended) and then you have NEW rules to allow traffic

See:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command

Very nice reading: see attachment Smile

But a lot of things boil down to personal preference

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum