How does /etc/config/firewall correspond to the tables and chains of iptables rules ？

VxBox · September 20, 2021, 4:26pm

Add the following rule information in /etc/config/firewall to generate the correct rules I want in the zone_wan_input chain of the Filter table.

config rule
	option target 'ACCEPT'
	option src 'wan'
	option family 'ipv6'
	option proto 'all'
	option extra '-m conntrack --ctstate DNAT'
	option name 'Allow-DNAT-Input'

But when you add a

	option dest '*'

Such parameters generate incorrect rules in the zone_wan_forward chain of the Filter table.

So how do the rules defined in /etc/config/firewall correspond to the tables and chains of iptables?

mikma · September 20, 2021, 4:58pm

Yes adding or deleting src and dest changes the chain.

In fw3, the src and dest are tied to the target:

If src and dest are given, the rule matches forwarded traffic

If only src is given, the rule matches incoming traffic

If only dest is given, the rule matches outgoing traffic

If neither src nor dest are given, the rule defaults to an outgoing traffic rule

VxBox · September 20, 2021, 11:22pm

This definition still feels not very flexible and perfect

system · September 30, 2021, 11:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.