cross-posted to: https://sh.itjust.works/post/14114583
If the rule is about forwarding traffic from the lan interface to the wan interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan to forward to REJECT? I interperet that as saying that wan doesn’t go anywhere, but that wouldn’t make sense given that the router can send, and receive over the internet.
For example I would interperet the first rule as follows:
lan => wan: the conditions for which connections from thelaninterface are forwarded to to thewaninterface.Input: accept: thelaninterface accepts all connections originating from the network (I wouldn’t understand the point of setting this to bereject).Output: accept: all connections exiting thewaninterface are accepted (again, I’m not sure what the point of this would be).Forward: accept: forwarding of packets fromlantowanis allowed.- Masquerade: I honestly don’t know what the effect of enabling this would be. What would it mean to masquerade the
laninterface?
I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn’t really answer any of my questions.
have clicked the add button at the bottom of the zones, found the below. A look at the current zones show that LAN -> WAN is how you get out and WAN -> REJECT is the WAN -> LAN side.
So what your doing is allow all traffic in, out and forwarded of LAN
But reject any in and forward from WAN to LAN, as the traffic leaves the WAN interface masquerade it as the WAN IP
This section defines common properties of “this new zone”. The input and output options set the default policies for traffic entering and leaving this zone while the forward option describes the policy for forwarded traffic between different networks within the zone. Covered networks specifies which available networks are members of this zone.
The options below control the forwarding policies between this zone (this new zone) and other zones. Destination zones cover forwarded traffic originating from this new zone. Source zones match forwarded traffic from other zones targeted at this new zone. The forwarding rule is unidirectional, e.g. a forward from lan to wan does not imply a permission to forward from wan to lan as well.
But reject any in […] from WAN
I don’t understand this one. Wouldn’t this then reject any connection to the router from the internet? Say you have a server behind the router that is port forwarded. If you have
Input: rejectonwan, wouldn’t this then mean that the router just drops any request to the server as that would be an input originating on thewaninterface destined for the router?as the traffic leaves the WAN interface masquerade it as the WAN IP
This is a great way to explain the masquerade setting! Thanks!
Thats how my setup looks, I do have about 7 NAT rules also and they work fine
Do you not know the answer to my question, or did you perhaps misunderstand it? You seem to have skipped over the whole comment 😆
in short, no I dont know how the firewalling works.
So a read of the wiki has what I thought
- INPUT is into the router
- OUTPUT is from the router
- FORWARD is across the router
all as default settings, NAT is applied after the zone rules. So even though the zone will reject INPUT, a NAT rule will allow it.
Does that help?
So even though the zone will reject INPUT, a NAT rule will allow it.
I don’t think this is correct. NAT doesn’t “allow” connections – It just masquerades the source IP as that of the router. For WAN connections to be accepted, conntrack must see them as related to connections that were initiated by the router, or by a device on the LAN (assuming, of course, that conntrack is enabled, which, in my case, it is).
