What's new

Solved Puzzled by the forward rules

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Zulgrib

Occasional Visitor
Hello,

I do not understand one of the allow line in the generated forward chain :

Code:
Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             MAC DA:14:70:F1:A6:00
ACCEPT     udp  --  anywhere             base-address.mcast.net/4
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
SECURITY   all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
DROP       all  --  anywhere             anywhere

To me, it seems like ACCEPT all -- anywhere anywhere at line 7 would annihilate any rules under it, meaning it will never drop invalid states, it packets will never pass by the SECURITY and NSFW chains etc...

Is it intended behavior by Asuswrt-Merlin ? Did I miss something ?
As per Wikipedia :
Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not
By my book, nothing gets past after an "accept all from anywhere to anywhere", making the DROP policy from first line rather useless.
 
You're not seeing the interface names. Use the following command and it will become clear.
Code:
iptables -L FORWARD -v
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top