cross-posted to: https://sh.itjust.works/post/14114583

If the rule is about forwarding traffic from the lan interface to the wan interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan to forward to REJECT? I interperet that as saying that wan doesn’t go anywhere, but that wouldn’t make sense given that the router can send, and receive over the internet.

For example I would interperet the first rule as follows:

  • lan => wan: the conditions for which connections from the lan interface are forwarded to to the wan interface.
  • Input: accept: the lan interface accepts all connections originating from the network (I wouldn’t understand the point of setting this to be reject).
  • Output: accept: all connections exiting the wan interface are accepted (again, I’m not sure what the point of this would be).
  • Forward: accept: forwarding of packets from lan to wan is allowed.
  • Masquerade: I honestly don’t know what the effect of enabling this would be. What would it mean to masquerade the lan interface?

I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn’t really answer any of my questions.

  • Kalcifer@sh.itjust.worksOPEnglish
    2·
    9 months ago

    But reject any in […] from WAN

    I don’t understand this one. Wouldn’t this then reject any connection to the router from the internet? Say you have a server behind the router that is port forwarded. If you have Input: reject on wan, wouldn’t this then mean that the router just drops any request to the server as that would be an input originating on the wan interface destined for the router?

    as the traffic leaves the WAN interface masquerade it as the WAN IP

    This is a great way to explain the masquerade setting! Thanks!

      • Kalcifer@sh.itjust.worksOPEnglish
        2·
        9 months ago

        Do you not know the answer to my question, or did you perhaps misunderstand it? You seem to have skipped over the whole comment 😆

        • Matt The Horwood@lemmy.horwood.cloudEnglish
          1·
          9 months ago

          in short, no I dont know how the firewalling works.

          So a read of the wiki has what I thought

          • INPUT is into the router
          • OUTPUT is from the router
          • FORWARD is across the router

          all as default settings, NAT is applied after the zone rules. So even though the zone will reject INPUT, a NAT rule will allow it.

          Does that help?

          • Kalcifer@sh.itjust.worksOPEnglish
            1·
            9 months ago

            So even though the zone will reject INPUT, a NAT rule will allow it.

            I don’t think this is correct. NAT doesn’t “allow” connections – It just masquerades the source IP as that of the router. For WAN connections to be accepted, conntrack must see them as related to connections that were initiated by the router, or by a device on the LAN (assuming, of course, that conntrack is enabled, which, in my case, it is).