Hello,
I am a big fan of the firewall package as it makes my life simple. However I would like to alter some of the built in rules, namely:
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
I would like it to turn into:
-A FORWARD -m conntrack --ctstate ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
In short I want to block the packets netfilter considers to be "related" to existing connections.
I am aware of what this does exactly and of possible problems I can run into because of it and it still is important for me to do it.
I couldn't find the default rules in any config files, I eventually managed to find them hardcoded in defaults.c file in firewall package source code. I would rather not compile my own version if possible, what are my solutions? It is important to me that packets deemed to be "related" are not being let through no matter how small the time window would be.
So far I tried putting those two rules in my /etc/firewall.user:
iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
This however does NOT work on boot for some reason. If I execute /etc/firewall.user or /etc/init.d/firewall restart manually it works, but only till reboot. I put this in firewall.user for debugging purposes:
iptables -S > /tmp/iptables_check
iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
and I can confirm that the rule is present during the execution of firewall.user:
root@OpenWRT:~# grep RELATED,ESTABLISHED /tmp/iptables_check | grep FORWARD
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
How can I fix my firewall.user so the rule does get deleted or what else can I do so the RELATED packets get dropped? Should I just compile my own version?