iptables question

Discussion in 'Tomato Firmware' started by monoton, Jul 9, 2018.

  1. monoton

    monoton Serious Server Member

    iptables -I FORWARD -p tcp -i br2 -d -j ACCEPT
    will allow everyone on br2 access to, but will this also allow access to everyone on br2?
  2. Sean B.

    Sean B. LI Guru Member

    This is, of course, assuming is on a different subnet/VLAN than what the br2 bridge is a part of ( likely is, but if I didn't point it out it would end up biting me ).

    No, it would not. The only thing that rule does is allow tcp traffic that comes in on the br2 interface and is destined for the IP to be forwarded. However, there is a preexisting rule that allows traffic to be forwarded for related and established connections, and that rule would then allow traffic from back to a client on br2 if that client started the connection. Other existing rules may also be applicable. Also, keep in mind rules are enforced in descending order, IE: if that rule gets placed below others that would also match the traffic they can prevent the new rule from ever working, such as..

    -A FORWARD -i br0 -o br2 -j DROP
    -A FORWARD -i br2 -o br0 -j DROP
    -A FORWARD -p tcp -i br2 -d -j ACCEPT
    If is a client on the br0 interface, traffic from br2 clients will still fail.
    Last edited: Jul 9, 2018
    monoton likes this.
  3. monoton

    monoton Serious Server Member

    Thank you, that clears things up.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice