The drop invalid rule should only apply to outgoing traffic imho, otherwise a lot of legitimate inbound traffic is dropped.
Can you try this rule instead and see if you still reproduce the leak?
iptables -t nat -A zone_wan_postrouting -m conntrack --ctstate INVALID -j DROP
Correction: iptables -t filter -A zone_wan_dest_ACCEPT -m conntrack --ctstate INVALID -j DROP
I checked that the rule was added, yes. But, you wrote -A zone_wan_dest_ACCEPT. Shouldn't that be -I instead of -A to inject before the default ACCEPT?
With -I and after a quick test iptables -nvL zone_wan_dest_ACCEPT shows
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
42 1680 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
783 50041 ACCEPT all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Perfect. I'll see if we can add this to the firewall program then. The idea is to emit this rule only for zones with masquerading enabled to avoid affecting unrelated/unmasked traffic.
you can put it in rc.local (should be persistent) or in '/etc/hotplug.d/iface/' ...
it's not quite bcp38 in that it doesn't care about src addresses, but i makes sure that
traffic destined to unused private nets/bogos does not get to your upstream default router.
Perfect. I'll see if we can add this to the firewall program then. The idea is to emit this rule only for zones with masquerading enabled to avoid affecting unrelated/unmasked traffic.
jow, does it mean you will update one of these packages:
"firewall", current version "2017-01-13-37cb4cb4-1"
"luci-app-firewall", current version "git-17.051.53299-a100738-1"
..with this rule: iptables -t filter -I zone_wan_dest_ACCEPT -m conntrack --ctstate INVALID -j DROP
And what do you expect the timeframe to be?
When can one expect the firmware package to be updated too?
Sorry for the novice question