IPTables - connection tracking not working

Hi guys,

I am trying to create a rule that allows established or related connections to be forwarded but new ones should be blocked. Here is my simple rule set, but it does not work. I cannot establish ssh connection from lan to internal (also other communication like http is blocked). Without these rules it works:

config rule
    option target 'ACCEPT'                                                                                                  
    option extra '-m conntrack --ctstate ESTABLISHED,RELATED'
    option src 'internal'                                                                                                   
    option dest 'lan'                                                                                                       
    option name 'internal_established'
    option proto 'tcpudp'                                                                                                                                                                                                                   

config rule                                                                                                                     
    option src 'internal'                                                                                                   
    option target 'REJECT'                                                                                                  
    option dest 'lan'                                                                                                       
    option proto 'tcpudp'

From my point of view these 2 rules should allow established or related connections from internal to lan but should block any new connection. Unfortunately after activating this rule it works only partially. ssh from lan to internal gives:

ssh_exchange_identification: Connection closed by remote host

Communication from lan to internal and vize versa is allowed.

What am I doing wrong?



Let's really think about this, step-by step:

  • You have a wokring config
  • You add a rule to block new connections, only allowing established and related
  • By your own admission, you then try to establish a NEW connection
  • You're now wondering why it stopped working



Simple, this is because you admittedly added a REJECT rule for the traffic.

No kidding?

My advise would be to remove those added rules, especially if you don't have a full understanding of the established,related firewall rule.

If you must block forwarding between the zone, just::

  • make the REJECT tule
  • then make a rule to allow traffic to SSH (22/tcp) from LAN
  • Done!

In addition, the first rule is redundant, see:

iptables-save -t filter
1 Like


then I really misunderstood the concept of "established/related". My assumption was that if traffic from lan to internal is allowed, the answer from internal is already classified as related, as there was a request from lan. My plan was to allow traffic from internal to lan only if lan has requested it. New connections from internal to lan should be blocked.

I am using similar rules in other places with iptables (but here with -state instead of -conntrack) and there it works that way (or at least in a similar way).

The reason I was trying with conntrack was simply because there are also other request types (like http) send to internal and of course I need the answer to find its way back to lan. On the other hand I do not want that internal can establish new http connections to lan. Is there any way I can achieve that?



Ummm yes...Also add a rule for 80/tcp.

Your assumption is correct; but you added a REJECT rule for that traffic in the process...likely while a connection existed.


  • No new packets can initiate
  • And hence no established traffic
  • And hence no allowed related replies

You dont need to add rules, as you noted it was working before. The existing established,related rules are OK. Why do you feel that you need to add others?

If you ACCEPT LAN to Internal and REJECT Internal to LAN, you should be good - that's all you need. With those zone rules traffic can only initiate from LAN.

I tried that and blocked traffic from intern to lan but kept lan to internal as allowed. With this setting I am not able to contact the machine in internal at all. I have the impression that somehow the conntrack rules are not working at all on my installation. I was aware that there are already rules that cover established,related connections but as they were not working for me I simply tried to add some. I have build openwrt from source, is it possible that I missed some kernel modules to support connection tracking?


Yes, that is possible!

config forwarding
	option dest 'internal'
	option src 'lan'

With this config, I can reach any servers in internal from LAN; but hosts in internal cannot initiate connections to LAN. If you have this config in /etc/config/firewall - your firewall should be working as you desire. It would be all that's needed in OpenWrt.

1 Like

Ok, with the block you posted communication fails, so I guess I am missing some kernel modules. Will dig into it deeper, thanks!



finally it is working. Issue was that I had a gateway mismatch in my DHCP configuration and openwrt was not the gateway for one of the subnets. That is why connection tracking was not working properly. After adjusting DHCP settings the "deny" rule from internal to lan for new connections is working and already established connections are also accepted.

Sorry for bugging you with that problem!


1 Like