1 |
On Tue, Jul 12, 2022 at 7:35 AM Laurence Perkins <lperkins@×××××××.net> |
2 |
wrote: |
3 |
|
4 |
> Ok, I asked a while ago about whitelisting MAC ranges for firewall rules, |
5 |
> and just so you know, adding 16 million potential MAC addresses to the |
6 |
> firewall… Doesn’t work well… No matter how you do it. So I had to write |
7 |
> a daemon to monitor which ones were local and add just those. Whatever. |
8 |
> |
9 |
> |
10 |
> |
11 |
> That brings me to the next problem. The routing and NAT work just fine if |
12 |
> I’m letting everything through. But if I’m dropping connections that don’t |
13 |
> come from authorized devices then UDP only works in the outbound |
14 |
> direction… TCP is fine. |
15 |
> |
16 |
> |
17 |
> |
18 |
> For reference, the rules consist of: |
19 |
> |
20 |
> |
21 |
> |
22 |
> iptables -t nat -I POSTROUTING -o <OUTSIDE> -j MASQUERADE |
23 |
> |
24 |
> iptables -A FORWARD -i <OUTSIDE> -o <INSIDE> -m state --state |
25 |
> RELATED,ESTABLISHED -j ACCEPT |
26 |
> |
27 |
> |
28 |
> |
29 |
> And then the daemon adds a: |
30 |
> |
31 |
> iptables -A FORWARD -i <INSIDE> -o <OUTSIDE> -m mac --mac-source <MAC |
32 |
> ADDRESS> -j ACCEPT |
33 |
> |
34 |
> |
35 |
> |
36 |
> for each authorized device. |
37 |
> |
38 |
> |
39 |
> |
40 |
> TCP works perfectly. |
41 |
> |
42 |
> UDP based protocols send out just fine, but any replies get blocked if the |
43 |
> FORWARD chain’s default policy is DROP. |
44 |
> |
45 |
> |
46 |
> |
47 |
> Now… Everything I’m reading says that it’s supposed to be able to |
48 |
> associate UDP replies based on port number, which indeed it must be doing |
49 |
> in order for them to get translated correctly and directed to the correct |
50 |
> device inside the NAT when the default policy is ACCEPT. |
51 |
> |
52 |
> |
53 |
> |
54 |
> So why is that rule to accept related packets not triggering for them? |
55 |
> |
56 |
|
57 |
I also would have expected the UDP replies to be permitted via -state |
58 |
RELATED,ESTABLISHED. |
59 |
|
60 |
Do they at least get into the state table; |
61 |
grep udp /proc/net/nf_conntrack |