LuCI's GUI is the option to enable/disable the "NAT leakage Prevention" ?
- You may ask - What is a "NAT Leakage Prevention" ?
- It is a rule in the
OUTPUTchain of the
filtertable, that drops packets which are incapable of initiating a new connection OR which are not a part of an existing connection (in
Specifically, it is a rule added by
LuCI in the user-defined chain
zone_wan_dest_ACCEPT, which is a descendant of the
OUTPUT chain in the
filter table. Its definition is listed below:
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
The following command, lets you see this rule on your system:
iptables -t filter -L zone_wan_dest_ACCEPT --line-numbers -v