#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -A FORWARD -m state NEW –state ESTABLISHED,RELATED -j ACCEPT
Issue 1) #iptables -t mangle -A PREROUTING $match1 -j CONNMARK
#iptables -t mangle -A PREROUTING -m connmark –mark $mark1 -j CONMARK $mark2
#iptables -t filter -A FORWARD/INPUT -m connmark –mark $mark2 -j ACCEPT
{ Here me have that the filter condition still blocks packets matching $match1 like “-m connmark –mark $mark1” doesn’t trigger. }
Q: Where am me wrong ?
Issue 2) #ipset create SET1 hash:ip
#iptables -t filter -A FORWARD -m state –state NEW -m set –match-set SET1 src -j CONNMARK $mark3
#iptables -t filter -A FORWARD -m connmark –mark $mark3 -j ACCEPT
#ipset add SET1 1.2.3.4
#ipset add SET1 1.2.3.2
{here we have traffic initiated by SET1.* passed }
#ipset delete SET1 1.2.3.4
{ it blocks NEW connection from 1.2.3.4 }
Q: how to block pending Established+Related traffic from 1.2.3.4 as well, without raw-level (beyond IPSET) IPTABLES commands ?