| 1 |
Ok, I asked a while ago about whitelisting MAC ranges for firewall rules, and just so you know, adding 16 million potential MAC addresses to the firewall... Doesn't work well... No matter how you do it. So I had to write a daemon to monitor which ones were local and add just those. Whatever. |
| 2 |
|
| 3 |
That brings me to the next problem. The routing and NAT work just fine if I'm letting everything through. But if I'm dropping connections that don't come from authorized devices then UDP only works in the outbound direction... TCP is fine. |
| 4 |
|
| 5 |
For reference, the rules consist of: |
| 6 |
|
| 7 |
iptables -t nat -I POSTROUTING -o <OUTSIDE> -j MASQUERADE |
| 8 |
iptables -A FORWARD -i <OUTSIDE> -o <INSIDE> -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 9 |
|
| 10 |
And then the daemon adds a: |
| 11 |
iptables -A FORWARD -i <INSIDE> -o <OUTSIDE> -m mac --mac-source <MAC ADDRESS> -j ACCEPT |
| 12 |
|
| 13 |
for each authorized device. |
| 14 |
|
| 15 |
TCP works perfectly. |
| 16 |
UDP based protocols send out just fine, but any replies get blocked if the FORWARD chain's default policy is DROP. |
| 17 |
|
| 18 |
Now... Everything I'm reading says that it's supposed to be able to associate UDP replies based on port number, which indeed it must be doing in order for them to get translated correctly and directed to the correct device inside the NAT when the default policy is ACCEPT. |
| 19 |
|
| 20 |
So why is that rule to accept related packets not triggering for them? And is there a standard way to do this? Because everything I can dig up on Google is examples just of routing with no NAT involved and nobody reporting this problem anywhere. |
| 21 |
|
| 22 |
I'll keep playing with it, but at this point I'm just throwing random stuff against the wall, so any hints would be appreciated. |
| 23 |
|
| 24 |
LMP |
Archives