iptables question

Discussion in 'Tomato Firmware' started by monoton, Jul 9, 2018.

  1. monoton

    monoton Serious Server Member

    iptables -I FORWARD -p tcp -i br2 -d 192.168.1.6 -j ACCEPT
    will allow everyone on br2 access to 192.168.1.6, but will this also allow 192.168.1.6 access to everyone on br2?
     
  2. Sean B.

    Sean B. LI Guru Member

    This is, of course, assuming 192.168.1.6 is on a different subnet/VLAN than what the br2 bridge is a part of ( likely is, but if I didn't point it out it would end up biting me ).

    No, it would not. The only thing that rule does is allow tcp traffic that comes in on the br2 interface and is destined for the IP 192.168.1.6 to be forwarded. However, there is a preexisting rule that allows traffic to be forwarded for related and established connections, and that rule would then allow traffic from 192.168.1.6 back to a client on br2 if that client started the connection. Other existing rules may also be applicable. Also, keep in mind rules are enforced in descending order, IE: if that rule gets placed below others that would also match the traffic they can prevent the new rule from ever working, such as..

    Code:
    -A FORWARD -i br0 -o br2 -j DROP
    -A FORWARD -i br2 -o br0 -j DROP
    -A FORWARD -p tcp -i br2 -d 192.168.1.6 -j ACCEPT
    
    If 192.168.1.6 is a client on the br0 interface, traffic from br2 clients will still fail.
     
    Last edited: Jul 9, 2018
    monoton likes this.
  3. monoton

    monoton Serious Server Member

    Thank you, that clears things up.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice