OpenSource Ghost DD-WRT User
Joined: 14 Feb 2022 Posts: 50
|
Posted: Fri Aug 05, 2022 11:11 Post subject: CTState - ESTABLISHED,RELATED - need to clarify |
|
This is as general question, not specific to DD-WRT. I need to make Scenario A equivalent to Scenario B restriction-wise.
Scenario A (API forces INPUT policy to be DROP and forces OUTPUT policy to be ACCEPT):
Code: | iptables -P INPUT DROP
iptables -I INPUT 1 -i ethZ -s X.X.X.X -d Y.Y.Y.Y -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 2 -i ethZ -s X.X.X.X -d Y.Y.Y.Y -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -I OUTPUT 1 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 2 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 3 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -j DROP
iptables -I OUTPUT 4 -o ethZ -s Y.Y.Y.Y -d F.F.F.F -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 5 -j DROP
|
For Scenario A, does INPUT rule 3 make sense? I ask because I already specify tracking of NEW,ESTABLISHED,RELATED connections in INPUT rules 1 and 2. INPUT rule 3 should be redundant, yet INPUT rule 3 packet counter logs many accepted packets, more than the sum of accepted packets logged for rule 1 + rule 2. Is it because of OUTPUT rule 4?
Scenario B (API forces INPUT policy to be ACCEPT and forces OUTPUT policy to be ACCEPT):
Code: | iptables -P INPUT ACCEPT
iptables -I INPUT 1 -i ethZ -s X.X.X.X -d Y.Y.Y.Y -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 2 -i ethZ -s X.X.X.X -d Y.Y.Y.Y -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 4 -j DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -I OUTPUT 1 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 2 -o ethZ -s Y.Y.Y.Y -d X.X.X.X -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 3 -j DROP
|
INPUT tracking of ESTABLISHED and RELATED connections is always generated by API when INPUT policy is set to DROP, but never when INPUT policy is set to ACCEPT. For Scenario B, INPUT rule 4 is supposed to have the same function as policy being set to DROP. Scenario B OUTPUT rule 3 drops all traffic and there is no output to destination F.F.F.F (like in Scenario A). Should INPUT rule 3 be logging any packets in Scenario B? |
|
egc DD-WRT Guru
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
|
Posted: Fri Aug 05, 2022 12:04 Post subject: |
|
Do not use line numbers that is highly unreliable.
Usually you have an Established,Related rule as first rule (so that is inserted last) and a DROP rule as last (that is Appended) and then you have NEW rules to allow traffic
See:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command
Very nice reading: see attachment
But a lot of things boil down to personal preference _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|