Menu
What's new
By:
Filters Better Search

Solved Puzzled by the forward rules

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Zulgrib

Zulgrib

Occasional Visitor
Hello,

I do not understand one of the allow line in the generated forward chain :

Code: 
Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             MAC DA:14:70:F1:A6:00
ACCEPT     udp  --  anywhere             base-address.mcast.net/4
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
SECURITY   all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
DROP       all  --  anywhere             anywhere

To me, it seems like ACCEPT all -- anywhere anywhere at line 7 would annihilate any rules under it, meaning it will never drop invalid states, it packets will never pass by the SECURITY and NSFW chains etc...

Is it intended behavior by Asuswrt-Merlin ? Did I miss something ?
As per Wikipedia :
Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not
Click to expand...
By my book, nothing gets past after an "accept all from anywhere to anywhere", making the DROP policy from first line rather useless.
 
You're not seeing the interface names. Use the following command and it will become clear.
Code: 
iptables -L FORWARD -v
 
You must log in or register to reply here.

Similar threads

F
Understanding IPTABLES - asus ROG ax6000
Replies
17
Views
895
ColinTaylor
C
v.y.k
iptables pkts & bytes numbers are too low on Merlin 3004.388
Replies
13
Views
1K
v.y.k
v.y.k
P
Tutorial Subnetting isolation without a VLAN switch
Replies
6
Views
955
Justinh
J
M
AdGuardHome IPTables blocking TLS port 853 from other hosts
Replies
3
Views
843
dave14305
D
N
Skynet SkyNet/Firewall blocking all ping requests, including outbound
Replies
6
Views
945
nearlyheadlessarvie
N

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 622 (members: 30, guests: 592)
Top