#17690: Iptables conntrack bug -- no mach for --ctstate RELATED,ESTABLISHED rule
--------------------------+-----------------------------------
Reporter: morfik | Owner: developers
Type: defect | Status: closed
Priority: high | Milestone:
Component: base system | Version: Barrier Breaker 14.07
Resolution: not_a_bug | Keywords: iptables, conntrack
--------------------------+-----------------------------------
Comment (by anonymous):
When is it needed? What are examples for where it should be set to 0? I am
using OpenVPN for example on my router, which worked great until now, but
I always wasnt sure, if my firewall rules were perfectly correct, for
example this line always bugged me:
{{{
iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT
}}}
Doesnt it mean anything from the tun devices is allowd in to my network,
and the VPN hoster theoretically can hack inside my router if he wanted
to? Ive tried something like this for example:
{{{
iptables -A FORWARD -i br-lan -o tun+ -m state --state RELATED,ESTABLISHED
-j ACCEPT
}}}
That, in my logic, only connections my network already initiated were
allowed, but it never worked. Is this where I have to set it to 0?
--
Ticket URL: <https://dev.openwrt.org/ticket/17690#comment:9>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
