General discussion



By ivankob ·
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -A FORWARD -m state NEW --state ESTABLISHED,RELATED -j ACCEPT
Issue 1) #iptables -t mangle -A PREROUTING $match1 -j CONNMARK <mark1>
#iptables -t mangle -A PREROUTING -m connmark --mark $mark1 -j CONMARK $mark2
#iptables -t filter -A FORWARD/INPUT -m connmark --mark $mark2 -j ACCEPT
{ Here me have that the filter condition still blocks packets matching $match1 like "-m connmark --mark $mark1" doesn't trigger. }
Q: Where am me wrong ?

Issue 2) #ipset create SET1 hash:ip
#iptables -t filter -A FORWARD -m state --state NEW -m set --match-set SET1 src -j CONNMARK $mark3
#iptables -t filter -A FORWARD -m connmark --mark $mark3 -j ACCEPT

#ipset add SET1
#ipset add SET1
{here we have traffic initiated by SET1.* passed }
#ipset delete SET1
{ it blocks NEW connection from }

Q: how to block pending Established+Related traffic from as well, without raw-level (beyond IPSET) IPTABLES commands ?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums